Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtp (Exim 4.72) (envelope-from ) id 1UYFxy-00059w-M0 for pgsql-www@arkaria.postgresql.org; Fri, 03 May 2013 13:24:02 +0000 Received: from localhost ([127.0.0.1] helo=postgresql.org) by malur.postgresql.org with smtp (Exim 4.72) (envelope-from ) id 1UYFxx-0003tV-Sj for pgsql-www@arkaria.postgresql.org; Fri, 03 May 2013 13:24:01 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtp (Exim 4.72) (envelope-from ) id 1UYFxx-0003tQ-DF for pgsql-www@postgresql.org; Fri, 03 May 2013 13:24:01 +0000 Received: from momjian.us ([72.94.173.45]) by magus.postgresql.org with esmtp (Exim 4.72) (envelope-from ) id 1UYFxo-0002Cv-HE for pgsql-www@postgresql.org; Fri, 03 May 2013 13:24:00 +0000 Received: from bruce by momjian.us with local (Exim 4.72) (envelope-from ) id 1UYFxh-0005jt-51; Fri, 03 May 2013 09:23:45 -0400 Date: Fri, 3 May 2013 09:23:45 -0400 From: Bruce Momjian To: Magnus Hagander Cc: "Joshua D. Drake" , Stefan Kaltenbrunner , Paul Waring , PostgreSQL WWW Subject: Re: Can we change auto-logout timing on wiki.postgresql.org? Message-ID: <20130503132345.GG3374@momjian.us> References: <517A6C78.7000101@xk7.net> <517A7144.4070204@xk7.net> <517B729C.4060906@kaltenbrunner.cc> <517B7658.9070209@commandprompt.com> <517B9613.4090201@kaltenbrunner.cc> <20130427140914.GA20361@momjian.us> <517BFC61.2070307@commandprompt.com> <20130503004045.GC3374@momjian.us> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.20 (2009-06-14) X-Pg-Spam-Score: -4.5 (----) List-Archive: List-Help: List-ID: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-Mailing-List: pgsql-www Precedence: bulk Sender: pgsql-www-owner@postgresql.org On Fri, May 3, 2013 at 10:19:09AM +0200, Magnus Hagander wrote: > >> >>well from a security perspective it is usually advisable to keep session > >> >>lifetimes as short as possible, I agree that the current setup was way > >> >>to aggressive, but 6h already results in a 6-15x increase of what we had > >> >>before. We can always adjust upwards if we people are really working 6h+ > >> >>on an article but lets see first if this change really fixes the issue > >> >>berkus complained about. > >> > > >> >This is a wiki, not a banking website. We need to use security that is > >> >appropriate for what we are guarding. We could just prevent edits and > >> >it would be even more secure. ;-) > >> > > >> >I would like 7 days, myself. > >> > > >> > >> Yep, I mean really, it is a wiki. > > > > OK, please make it 7 days. I keep the wiki tab open on my browser and > > having to log in every day is a pain. Now, if you want me to stop using > > the wiki, I am happy to do that. > > Really, Bruce? Yes, really. I am not saying I will stop using the wiki, but it certainly would be nice if I didn't have to use the wiki because others used it more. And the more cumbersome with wiki is to use, the more I would like to avoid using it --- that's just natural. I would think we would have a setup to encourage people to use the wiki more by making it easier to use. I moved to the wiki so others could update the TODO list, but history shows that I am still making the majority of the edits: https://wiki.postgresql.org/index.php?title=Todo&action=history I do appreciate others making changes, but some of them are added without discussion, so they need to be reviewed. However, I don't always get email when someone edits because of some logic that only emails me the first time, unless I go to the site, though I have the TODO list tab always open --- I never understood that. There are other oddities, like many of the "Contents" links not working (e.g. "Montoring"), and broken output when links contain '=', so I added a cron job on my machine to check for them. I asked about this timeout issue over a year ago, and was told no one knew the cause. Now that the cause was found, I am told that the administrators want to set a timeout that is less than any other non-commerce website I visit because of security. To me that reflects a distorted view of usability vs security, and all for a wiki site. So if someone responsible wants to work on the TODO list, go ahead, it is all there ready for you. Odds are, I will never even see notifications of your changes anyway. :-( Administrators say they increased the timeout 10x and need feedback if it needs to be increased further? Do you need me to notice that every day I have to hit the 'edit' button, realize my session has timed out, then hit the login button and try again. It happened this morning --- is that sufficient? I have no idea. Do these cookies control anything but the wiki? I assume not because 20 minutes was the MediaWiki default. So, in summary, there are all these things on the wiki that don't work, but I am having to fight to get something we can fix to a reasonable default, and at a certain point, you just give up and find a way to do it yourself, like maybe an auto-login javascript widget for the wiki. (No, I have not written one, _yet_. ;-) ) -- Bruce Momjian http://momjian.us EnterpriseDB http://enterprisedb.com + It's impossible for everything to be true. + -- Sent via pgsql-www mailing list (pgsql-www@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-www