undefined | Better HN

0 pointsdkdbejwi3834y ago0 comments

The product I work on now logs users out after 15 minutes. It's a service where the average user would probably spend a good few hours of their day.

We're actively harming the user experience (and driving paying customers away) because of some "expert" advice.

0 comments

cm21874y ago

The ones that puzzle me even more are the intranet websites that log you off after x minutes whereas they work with single sign on, ie no password entered, so not sure what security benefit that achieves. But they make you lose whatever you were doing in the process.

chillfox4y ago

Usually that comes down to single sign off being a lot harder to do than single sign on. So they just use a timer on each app for the sign off.

Jach4y ago

What continues to grimly amuse me is that many of these websites that also have a mobile app will basically keep you signed in forever on the mobile app. It's just the website, where most people would prefer to do their heavy lifting work on, that has the anti-usability nonsense that makes you install plugins like auto-refresh-every-10-minutes.

sneak4y ago

The problem with the security industry is that there's no way for non-experts to reliably assess "I'm an expert, trust me!" from a practitioner.

I'm not really sure what the best fix is; there are many possible ones. I've seen total clowns pushing decades-old nonsense be taken seriously by competent businesses simply because they thought "hiring an expert" was enough, like they're a plumber or something.

_jal4y ago

It is no different than doctors or mechanics or lawyers. Reputation is your best guide. In security-land, there are some certifications that are fairly rigorous; some of those can serve as a distant second.

dvtrn4y ago

Doctors and lawyers are professions that are regulated by licensure, of which unauthorized practice comes with actual real and not made up legal consequences. Where is the similar licensure that tech security professionals are regulated by?

I think that’s a big difference.

OldTimeCoffee4y ago

You may have missed the point being made. You find a good security professional the same way you find a good lawyer or doctor. Ask around for a reference for a good one. Then check their credentials (e.g., what certifications they have).

I believe there was an article on HN recently about a startup that used a "lawyer" that wasn't because they didn't check their credentials after getting a great reference. Just because there are consequences doesn't mean it doesn't happen.

1 more reply

_jal4y ago

It is normal to get a little confused when you ignore half the comment.

1 more reply

abcxjeb2844y ago

This one is based in security standards :( https://security.stackexchange.com/questions/45455/which-sec... (link talks about screen locking but similar vibe for app logout for various certification bodies)

dkdbejwi383OP4y ago

At least this is based on "inactivity", compared to "authentication tokens must have a maximum lifespan of 15 minutes"

kenniskrag4y ago

imho better would be if the site just asks for the 2fa again after sending the form.

Cthulhu_4y ago

After 15 minutes, or 15 minutes of inactivity? The latter is defensible at least, in e.g. a public area where there is a risk of people leaving their desktops without locking them. I mean that's another policy issue that can be addressed (a policy that locks a system after x amount of inactivity), but as an app developer you can't know much about the system things are running on.

Retric4y ago

Careful. Filling out a long form isn’t 15 minutes of inactivity, but a huge range of websites assume it is.

hallway_monitor4y ago

PTSD causes me to copy and paste big blocks of text out of a text area before submitting every time.

ta9884y ago

sounds like what an extension could do. store in localstorage the last hour of forms. I especially hate clicking submit to get an error and an empty form again.

alistairSH4y ago

Ugh, a form that takes 15 minutes or more to fill out, without any feedback or other interaction, is itself a UX problem. It should at least be auto-saving.

egypturnash4y ago

More likely it will have a “submit” button that runs a script that blocks submission wen you missed a field. And wipes out a couple of other fields (usually passwords) so that you have to re-enter those after hitting that “submit” button again.

cactus20934y ago

But should all sites really be optimized for the user at a public library computer? At the expense of convenience for the large majority of users that are on a personal or work computer? Doesn’t make much sense to me.

Also the computer itself solves this problem for you in many cases, a guest profile typically deletes all browser session info when you log out.

alistairSH4y ago

All sites? Probably not.

Many sites? Probably.

You're assuming people log out reliably or otherwise behave in the most secure way. They don't.

I also don't see how logging out/killing a session after 15 minutes of inactivity is much of a hardship for the user.

fauigerzigerk4y ago

I hate _all_ sites that do this and I actively avoid them. There are many very good reasons why I might not be able to complete a form without interruption. It's not for them second guess me.

And it's not just extremely annoying, it's also completely unnecessary. Just put a "trust this browser" checkbox on the sign-in page and adjust the session timeout accordingly.

1 more reply

j / k navigate · click thread line to collapse

0 comments

cm21874y ago

chillfox4y ago

Usually that comes down to single sign off being a lot harder to do than single sign on. So they just use a timer on each app for the sign off.

Jach4y ago

sneak4y ago

The problem with the security industry is that there's no way for non-experts to reliably assess "I'm an expert, trust me!" from a practitioner.

_jal4y ago

dvtrn4y ago

I think that’s a big difference.

OldTimeCoffee4y ago

1 more reply

_jal4y ago

It is normal to get a little confused when you ignore half the comment.

1 more reply

abcxjeb2844y ago

dkdbejwi383OP4y ago

At least this is based on "inactivity", compared to "authentication tokens must have a maximum lifespan of 15 minutes"

kenniskrag4y ago

imho better would be if the site just asks for the 2fa again after sending the form.

Cthulhu_4y ago

Retric4y ago

Careful. Filling out a long form isn’t 15 minutes of inactivity, but a huge range of websites assume it is.

hallway_monitor4y ago

PTSD causes me to copy and paste big blocks of text out of a text area before submitting every time.

ta9884y ago

sounds like what an extension could do. store in localstorage the last hour of forms. I especially hate clicking submit to get an error and an empty form again.

alistairSH4y ago

Ugh, a form that takes 15 minutes or more to fill out, without any feedback or other interaction, is itself a UX problem. It should at least be auto-saving.

egypturnash4y ago

cactus20934y ago

Also the computer itself solves this problem for you in many cases, a guest profile typically deletes all browser session info when you log out.

alistairSH4y ago

All sites? Probably not.

Many sites? Probably.

You're assuming people log out reliably or otherwise behave in the most secure way. They don't.

I also don't see how logging out/killing a session after 15 minutes of inactivity is much of a hardship for the user.

fauigerzigerk4y ago

I hate _all_ sites that do this and I actively avoid them. There are many very good reasons why I might not be able to complete a form without interruption. It's not for them second guess me.

And it's not just extremely annoying, it's also completely unnecessary. Just put a "trust this browser" checkbox on the sign-in page and adjust the session timeout accordingly.

1 more reply

j / k navigate · click thread line to collapse