Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtp (Exim 4.72) (envelope-from ) id 1UW8Vd-0001rr-Mt for pgsql-www@arkaria.postgresql.org; Sat, 27 Apr 2013 17:02:01 +0000 Received: from localhost ([127.0.0.1] helo=postgresql.org) by malur.postgresql.org with smtp (Exim 4.72) (envelope-from ) id 1UW8Vd-0006xt-62 for pgsql-www@arkaria.postgresql.org; Sat, 27 Apr 2013 17:02:01 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtp (Exim 4.72) (envelope-from ) id 1UW8Vc-0006xn-Fl for pgsql-www@postgresql.org; Sat, 27 Apr 2013 17:02:00 +0000 Received: from cronos.madness.at ([2a02:16a8:dc41::10]) by magus.postgresql.org with esmtp (Exim 4.72) (envelope-from ) id 1UW8VV-0007cp-Ay for pgsql-www@postgresql.org; Sat, 27 Apr 2013 17:01:59 +0000 Received: from mastermind.kaltenbrunner.cc ([2001:470:7a2d::22]) by cronos.madness.at with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from ) id 1UW8VL-0004bv-2L; Sat, 27 Apr 2013 19:01:45 +0200 Message-ID: <517C046E.30207@kaltenbrunner.cc> Date: Sat, 27 Apr 2013 19:01:34 +0200 From: Stefan Kaltenbrunner User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130329 Thunderbird/17.0.5 MIME-Version: 1.0 To: Magnus Hagander CC: Bruce Momjian , "Joshua D. Drake" , Paul Waring , PostgreSQL WWW Subject: Re: Can we change auto-logout timing on wiki.postgresql.org? References: <5179CD76.6030908@agliodbs.com> <517A6C78.7000101@xk7.net> <517A7144.4070204@xk7.net> <517B729C.4060906@kaltenbrunner.cc> <517B7658.9070209@commandprompt.com> <517B9613.4090201@kaltenbrunner.cc> <20130427140914.GA20361@momjian.us> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Pg-Spam-Score: -1.9 (-) List-Archive: List-Help: List-ID: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-Mailing-List: pgsql-www Precedence: bulk Sender: pgsql-www-owner@postgresql.org On 04/27/2013 05:24 PM, Magnus Hagander wrote: > On Sat, Apr 27, 2013 at 4:09 PM, Bruce Momjian wrote: >> On Sat, Apr 27, 2013 at 11:10:43AM +0200, Stefan Kaltenbrunner wrote: >>> On 04/27/2013 08:55 AM, Joshua D. Drake wrote: >>>> >>>> On 04/26/2013 11:39 PM, Stefan Kaltenbrunner wrote: >>>> >>>>> interesting hint - thanks. >>>>> >>>>> I have now increased the relevant timeouts to 6h - lets see how that >>>>> goes.. >>>> >>>> FTR, I don't think we should autologout people or at least it should be >>>> set to something like 7D. >>> >>> well from a security perspective it is usually advisable to keep session >>> lifetimes as short as possible, I agree that the current setup was way >>> to aggressive, but 6h already results in a 6-15x increase of what we had >>> before. We can always adjust upwards if we people are really working 6h+ >>> on an article but lets see first if this change really fixes the issue >>> berkus complained about. >> >> This is a wiki, not a banking website. We need to use security that is >> appropriate for what we are guarding. We could just prevent edits and >> it would be even more secure. ;-) >> >> I would like 7 days, myself. > > Note that this is not 7 days since you logged in. It's 7 days since > you last did something. And as long as you don't stop working, you > never get logged out ;) and from looking at the average time between changes and the overall changerate of any given site I don't really see how people people will realistically hit the 6h limit. Anyhow if somebody wants to change this to a larger limit I wont object, but 7 days seems mighty excessive... Stefan -- Sent via pgsql-www mailing list (pgsql-www@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-www