yubikey

[Iain Arnell]

On Wed, Oct 26, 2011 at 9:45 PM, Toshio Kuratomi <a.badger at gmail.com> wrote:
> On Wed, Oct 26, 2011 at 12:11:25PM -0700, Adam Williamson wrote:
>>
>> Well, 20 mins inactivity sounds about 'right', as in, it matches my
>> experience. seems like a very short timeout, but maybe it's appropriate.
>>
> We've asked for feedback from some of our Fedora security people about best
> practice here but I get the impression no one wants to commit on what best
> practices are.  If you can find a best practice for idle timeouts somewhere
> that I can read up on, I can certainly look at making the session last
> longer.

It's not the 20 minute timeout that bothers me. It's the damn CSRF
avoiding "I am human" process that bugs the hell out of me. At least
pkgdb has a "verify login" button on each page so I'm only one click
away from really being logged in. Bodhi doesn't even pretend to
believe that I might be human, forcing me to a fresh "login" page each
and every time I follow a link from somewhere else.

-- 
Iain.