On Thu, Mar 19, 2009 at 11:57 PM, Nelson B Bolyard <nel...@bolyard.me> wrote: > Kyle Hamilton wrote, On 2009-03-19 23:07: > >> My reason for the conservative time suggestions is because that's what >> banks tend to use (my bank times me out after 15 minutes of >> inactivity, as does my phone company, and my electric company, and >> PayPal, and...). > > But those are *minutes of inactivity*. SSL session lifetimes typically > do not take activity (or inactivity) into account. If you set a 10 > minute lifetime, then 10 minutes later, that session will end, and you > must reauthenticate again. So, 10 minutes means reauthenticating 6 > times each hour, 48 times per work day. :(
Joe Orton said: With the default mod_ssl cache, I think that the session should already get stored back to the cache with a fresh expiry time after each connection is terminated, but I'm not sure. Here's the biggest "impedance mismatch" (as Ian put it) between the client and server: From the client's perspective, the session should last as long as there's activity often enough (barring positive action on the part of the user to "log out of all SSL-secured sites"). On the server, from your statement of the 'typical' viewpoint, there's a fixed maximum lifetime for a session. This is what's causing most of these problems. >> IE7 does have a "forget sessions" button. I'd like to see a >> reasonable thing implemented as well in Firefox. > > FF has had this feature for years. ...and it's mixed in with erasing browsing history, download history, saved form and search history, and cache history. There's browser.cache.disk_cache_ssl, but it's false by default, so why would I need to clear the cache to prevent access to TLS-authenticated pages? I just want to deauthenticate my TLS sessions. I don't want to lose track of where I've been, or what I've downloaded, and I would be willing to bet that a lot of others don't want to, either. (not to mention that it's under the Privacy tab of the Preferences, which isn't exactly the easiest place to find a 'log out' button that's cleverly named "Clear Now...") But every time I bring up the inadequacy of the current UI I'm always told "talk to the chrome folks". This is fruitless, trying to have any kind of discussion with the people here. This would be better on dev-security-policy. (Or would it be dev-security?) -Kyle H -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
