I think a reasonable default would be about 10 or 15 minutes, with a refresh of the session (moving it back to 0 minutes) every successful request?
-Kyle H On Wed, Mar 18, 2009 at 6:56 AM, Joe Orton <j...@manyfish.co.uk> wrote: > On Tue, Mar 17, 2009 at 10:26:35AM -0700, Robert Relyea wrote: >> Cert selection for Firefox does need to be improved. On the other hand, >> I found the larger memory footprint argument someone confusing. At the >> cost of about 20 bytes per client you would rather chew up CPU and >> network resources? That seems like a poor tradeoff to me. > > The numbers I remember are ~250 bytes per session without a cert, and > ~1-2K if a client cert is used, which is the case in question. > > But the point about trading off against CPU/network resources is a good > one. RFC 5246 mentions an "upper limit" of 24 hours for session ID > lifetime, which implies a maximum rather than a default. I'll see about > getting the mod_ssl default bumped to 12 hours and see how that works > out. Does that seem reasonable? > > regards, Joe > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
