Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtp (Exim 4.72) (envelope-from
	<pgsql-www-owner+M21586=pgsql+2Dwww=arkaria.postgresql.org@postgresql.org>)
	id 1UW6zh-0004bk-Uj
	for pgsql-www@arkaria.postgresql.org; Sat, 27 Apr 2013 15:24:58 +0000
Received: from localhost ([127.0.0.1] helo=postgresql.org)
	by malur.postgresql.org with smtp (Exim 4.72) (envelope-from
	<pgsql-www-owner+M21586=pgsql+2Dwww=arkaria.postgresql.org@postgresql.org>)
	id 1UW6zh-0001Qe-FP
	for pgsql-www@arkaria.postgresql.org; Sat, 27 Apr 2013 15:24:57 +0000
Received: from makus.postgresql.org ([2001:4800:7903:4::125])
	by malur.postgresql.org with esmtp (Exim 4.72)
	(envelope-from <magnus@hagander.net>) id 1UW6zg-0001QZ-Vw
	for pgsql-www@postgresql.org; Sat, 27 Apr 2013 15:24:57 +0000
Received: from mail-vb0-x22b.google.com ([2607:f8b0:400c:c02::22b])
	by makus.postgresql.org with esmtp (Exim 4.72)
	(envelope-from <magnus@hagander.net>) id 1UW6ze-00006u-Dm
	for pgsql-www@postgresql.org; Sat, 27 Apr 2013 15:24:56 +0000
Received: by mail-vb0-f43.google.com with SMTP id q13so3286825vbe.16
	for <pgsql-www@postgresql.org>; Sat, 27 Apr 2013 08:24:52 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20120113;
	h=mime-version:x-received:in-reply-to:references:date:message-id
	:subject:from:to:cc:content-type:x-gm-message-state;
	bh=y0V5FBaSimDAOikyA8ADgIquRpyQyUobDShvPSBB/FQ=;
	b=Z30B7Gioy6Fw3POVcCvXeeW8XoD8aCrhDn6eWoiiLWq3TAyUcbigVoW0l6eP3Xt1l/
	agIOE3lErDXPADRWrhbRPQnUo8faUyHC0f2By8iy1AuuB0Wi0YJlZWBr8tgZ4LipfyWC
	nSwjlyz8GLtqm5eN0Cu9S6bTy2vr7aWiYZ3DxuyGJE9ghyS7yTPeArjsknTQbMWt9FLu
	QYvrO6s4lmYSxFvHM7Fso6LnclOw68OgwsJuKwUf8VzMzVqwzSB+dEmBJFrN0V+Z46Vj
	zTPZog++Tbh888j6a9V/n1NaU3wQeGT7gFymKuIeGRHBLEt3m2mvC1QMrmownnCE1/F9
	4Rzw==
MIME-Version: 1.0
X-Received: by 10.52.93.179 with SMTP id cv19mr8572451vdb.20.1367076292121;
	Sat, 27 Apr 2013 08:24:52 -0700 (PDT)
Received: by 10.58.74.232 with HTTP; Sat, 27 Apr 2013 08:24:51 -0700 (PDT)
In-Reply-To: <20130427140914.GA20361@momjian.us>
References: <5179CD76.6030908@agliodbs.com>
	<CABUevEymuYyyof68ASuDt9GBpFOvF2r0WNyk8JxK1nbGG70Rpw@mail.gmail.com>
	<517A6C78.7000101@xk7.net>
	<CABUevEw0asBAR6jS=aqKBG1OAJmTsMP1FiocCm-cLJfqGEAm_w@mail.gmail.com>
	<517A7144.4070204@xk7.net> <517B729C.4060906@kaltenbrunner.cc>
	<517B7658.9070209@commandprompt.com>
	<517B9613.4090201@kaltenbrunner.cc>
	<20130427140914.GA20361@momjian.us>
Date: Sat, 27 Apr 2013 17:24:51 +0200
Message-ID: 
 <CABUevEwn9jDpaVSHb9c74WR0tOjjZYPgk4VgpB97V9+Go4dtYQ@mail.gmail.com>
Subject: Re: Can we change auto-logout timing on wiki.postgresql.org?
From: Magnus Hagander <magnus@hagander.net>
To: Bruce Momjian <bruce@momjian.us>
Cc: Stefan Kaltenbrunner <stefan@kaltenbrunner.cc>,
	"Joshua D. Drake" <jd@commandprompt.com>,
	Paul Waring <paul@xk7.net>, PostgreSQL WWW <pgsql-www@postgresql.org>
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: 
 ALoCoQlqR5UhWB3rYutH0KgSu/D/fXbiUPYABeKbqXTHNdlFw5iR3iMOxk+//Yf7M08+hghbQ9pe
X-Pg-Spam-Score: -1.9 (-)
List-Archive: <http://archives.postgresql.org/pgsql-www>
List-Help: <mailto:majordomo@postgresql.org?body=help>
List-ID: <pgsql-www.postgresql.org>
List-Owner: <mailto:pgsql-www-owner@postgresql.org>
List-Post: <mailto:pgsql-www@postgresql.org>
List-Subscribe: <mailto:majordomo@postgresql.org?body=sub%20pgsql-www>
List-Unsubscribe: <mailto:majordomo@postgresql.org?body=unsub%20pgsql-www>
X-Mailing-List: pgsql-www
Precedence: bulk
Sender: pgsql-www-owner@postgresql.org

On Sat, Apr 27, 2013 at 4:09 PM, Bruce Momjian <bruce@momjian.us> wrote:
> On Sat, Apr 27, 2013 at 11:10:43AM +0200, Stefan Kaltenbrunner wrote:
>> On 04/27/2013 08:55 AM, Joshua D. Drake wrote:
>> >
>> > On 04/26/2013 11:39 PM, Stefan Kaltenbrunner wrote:
>> >
>> >> interesting hint - thanks.
>> >>
>> >> I have now increased the relevant timeouts to 6h - lets see how that
>> >> goes..
>> >
>> > FTR, I don't think we should autologout people or at least it should be
>> > set to something like 7D.
>>
>> well from a security perspective it is usually advisable to keep session
>> lifetimes as short as possible, I agree that the current setup was way
>> to aggressive, but 6h already results in a 6-15x increase of what we had
>> before. We can always adjust upwards if we people are really working 6h+
>> on an article but lets see first if this change really fixes the issue
>> berkus complained about.
>
> This is a wiki, not a banking website.  We need to use security that is
> appropriate for what we are guarding.  We could just prevent edits and
> it would be even more secure.  ;-)
>
> I would like 7 days, myself.

Note that this is not 7 days since you logged in. It's 7 days since
you last did something. And as long as you don't stop working, you
never get logged out ;)


--
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/


-- 
Sent via pgsql-www mailing list (pgsql-www@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-www