Joe Orton wrote, On 2009-03-19 15:15: > On Wed, Mar 18, 2009 at 07:42:12AM -0700, Kyle Hamilton wrote: >> I think a reasonable default would be about 10 or 15 minutes, with a >> refresh of the session (moving it back to 0 minutes) every successful >> request? > > With the default mod_ssl cache, I think that the session should already > get stored back to the cache with a fresh expiry time after each > connection is terminated, but I'm not sure. > > Going from 3 minutes to 10 minutes doesn't seem like it will save the > world (if 3 minutes was indeed putting the world at risk).
Agreed. For most users 4 or 8 hours is more reasonable, to avoid more than one or two required logins per work day. > Does NSS/Firefox cache the SSL session for the lifetime of the browser > process, or what? Yes, up to 24 hours. > What about MSIE? Same, IINM. > Regards, Joe /Nelson -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
