public inbox for [email protected]
help / color / mirror / Atom feedFrom: Stefan Kaltenbrunner <[email protected]>
To: Magnus Hagander <[email protected]>
Cc: Bruce Momjian <[email protected]>
Cc: Joshua D. Drake <[email protected]>
Cc: Paul Waring <[email protected]>
Cc: PostgreSQL WWW <[email protected]>
Subject: Re: Can we change auto-logout timing on wiki.postgresql.org?
Date: Sat, 27 Apr 2013 19:01:34 +0200
Message-ID: <[email protected]> (raw)
In-Reply-To: <CABUevEwn9jDpaVSHb9c74WR0tOjjZYPgk4VgpB97V9+Go4dtYQ@mail.gmail.com>
References: <[email protected]>
<CABUevEymuYyyof68ASuDt9GBpFOvF2r0WNyk8JxK1nbGG70Rpw@mail.gmail.com>
<[email protected]>
<CABUevEw0asBAR6jS=aqKBG1OAJmTsMP1FiocCm-cLJfqGEAm_w@mail.gmail.com>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<CABUevEwn9jDpaVSHb9c74WR0tOjjZYPgk4VgpB97V9+Go4dtYQ@mail.gmail.com>
List-Unsubscribe: <mailto:[email protected]?body=unsub%20pgsql-www>
On 04/27/2013 05:24 PM, Magnus Hagander wrote:
> On Sat, Apr 27, 2013 at 4:09 PM, Bruce Momjian <[email protected]> wrote:
>> On Sat, Apr 27, 2013 at 11:10:43AM +0200, Stefan Kaltenbrunner wrote:
>>> On 04/27/2013 08:55 AM, Joshua D. Drake wrote:
>>>>
>>>> On 04/26/2013 11:39 PM, Stefan Kaltenbrunner wrote:
>>>>
>>>>> interesting hint - thanks.
>>>>>
>>>>> I have now increased the relevant timeouts to 6h - lets see how that
>>>>> goes..
>>>>
>>>> FTR, I don't think we should autologout people or at least it should be
>>>> set to something like 7D.
>>>
>>> well from a security perspective it is usually advisable to keep session
>>> lifetimes as short as possible, I agree that the current setup was way
>>> to aggressive, but 6h already results in a 6-15x increase of what we had
>>> before. We can always adjust upwards if we people are really working 6h+
>>> on an article but lets see first if this change really fixes the issue
>>> berkus complained about.
>>
>> This is a wiki, not a banking website. We need to use security that is
>> appropriate for what we are guarding. We could just prevent edits and
>> it would be even more secure. ;-)
>>
>> I would like 7 days, myself.
>
> Note that this is not 7 days since you logged in. It's 7 days since
> you last did something. And as long as you don't stop working, you
> never get logged out ;)
and from looking at the average time between changes and the overall
changerate of any given site I don't really see how people people will
realistically hit the 6h limit. Anyhow if somebody wants to change this
to a larger limit I wont object, but 7 days seems mighty excessive...
Stefan
--
Sent via pgsql-www mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-www
view thread (42+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected], [email protected]
Subject: Re: Can we change auto-logout timing on wiki.postgresql.org?
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox