On Thu, Mar 19, 2009 at 8:29 PM, Nelson B Bolyard <nel...@bolyard.me> wrote: > Joe Orton wrote, On 2009-03-19 15:15: >> Going from 3 minutes to 10 minutes doesn't seem like it will save the >> world (if 3 minutes was indeed putting the world at risk). > > Agreed. For most users 4 or 8 hours is more reasonable, to avoid more > than one or two required logins per work day.
My reason for the conservative time suggestions is because that's what banks tend to use (my bank times me out after 15 minutes of inactivity, as does my phone company, and my electric company, and PayPal, and...). I would put a note in the changes file (and preferably also a note that shows up at the end of the compilation of new versions of Apache) that the default session cache time is going up to better support client certificate authentication, so that administrators are made aware of this (security-policy related) change. (Not that most admins will care, but those few that do will need the notice.) >> Does NSS/Firefox cache the SSL session for the lifetime of the browser >> process, or what? > > Yes, up to 24 hours. > >> What about MSIE? > > Same, IINM. IE7 does have a "forget sessions" button. I'd like to see a reasonable thing implemented as well in Firefox. -Kyle H -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
