yubikey
Toshio Kuratomi
a.badger at gmail.com
Wed Oct 26 19:45:30 UTC 2011
On Wed, Oct 26, 2011 at 12:11:25PM -0700, Adam Williamson wrote:
> On Wed, 2011-10-26 at 09:57 -0700, Toshio Kuratomi wrote:
> > On Tue, Oct 25, 2011 at 04:56:18PM -0700, Adam Williamson wrote:
> > > On Tue, 2011-10-25 at 16:44 -0700, Toshio Kuratomi wrote:
> > > > FAS and bodhi are single sign on (iirc, everything on
> > > > admin.fedoraproject.org).
> > >
> > > Well, Bodhi seems to do a damn good job of forgetting you're signed in.
> > > I've never tried to analyze this carefully, it's just a subjective
> > > feeling that I seem to have to log into it a hell of a lot...
> > >
> > It's supposed to be 20 minutes of inactivity (ie, make no requests to
> > fas/bodhi/pkgdb/elections in 20 minutes and your session expires).
> >
> > There's only one time that I've found this to not work when I've actually
> > measured it. That was when we had time skew on our fas servers. So when
> > a session was updated on one server, it updated the session information with
> > a timestamp far enough in the past that the next server to check the session
> > decided that it was expired.
>
> Well, 20 mins inactivity sounds about 'right', as in, it matches my
> experience. seems like a very short timeout, but maybe it's appropriate.
>
We've asked for feedback from some of our Fedora security people about best
practice here but I get the impression no one wants to commit on what best
practices are. If you can find a best practice for idle timeouts somewhere
that I can read up on, I can certainly look at making the session last
longer.
-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20111026/1292c42c/attachment.bin
More information about the devel
mailing list