On Wed, Oct 26, 2011 at 9:45 PM, Toshio Kuratomi <a.badger@xxxxxxxxx> wrote: > On Wed, Oct 26, 2011 at 12:11:25PM -0700, Adam Williamson wrote: >> >> Well, 20 mins inactivity sounds about 'right', as in, it matches my >> experience. seems like a very short timeout, but maybe it's appropriate. >> > We've asked for feedback from some of our Fedora security people about best > practice here but I get the impression no one wants to commit on what best > practices are. If you can find a best practice for idle timeouts somewhere > that I can read up on, I can certainly look at making the session last > longer. It's not the 20 minute timeout that bothers me. It's the damn CSRF avoiding "I am human" process that bugs the hell out of me. At least pkgdb has a "verify login" button on each page so I'm only one click away from really being logged in. Bodhi doesn't even pretend to believe that I might be human, forcing me to a fresh "login" page each and every time I follow a link from somewhere else. -- Iain. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
