I’m actually not a fan of login and sessions on the web, and in fact prefer a more stateless concept I call authenticated actions to the more common systems of login and “identity.”
But I’m not going to win the day soon on that, and I face many web sites that think I should have a login session, and that session should in fact terminate if I don’t click on the browser often enough. This frequently has really annoying results — you can be working on a complex form or other activity, then switch off briefly to other web sites or email to come back and find that “your session has expired” and you have to start from scratch.
There are times when there is an underlying reason for this. For example, when booking things like tickets, the site needs to “hold” your pending reservation until you complete it, but if you’re not going to complete it, they need to return that ticket or seat to the pool for somebody else to buy. But many times sessions expire without that reason. Commonly the idea is that for security, they don’t want to leave you logged on in a way that might allow somebody to come to your computer after you leave it and take over your session to do bad stuff. That is a worthwhile concept, particularly for people who will do sessions at public terminals, but it’s frustrating when it happens on the computer in your house when you’re alone.
Many sites also overdo it. While airlines need to cancel your pending seat requests after a while, there is no reason for them to forget everything and make you start from scratch. That’s just bad web design. Other sites are happy to let you stay “logged on” for a year.
To help, it would be nice if the browser had a way of communicating things it knows about your session with the computer to trusted web sites. The browser knows if you have just switched to other windows, or even to other applications where you are using your mouse and keyboard. Fancier tools have even gone so far as to use your webcam and microphone to figure if you are still at your desk or have left the computer. And you know whether your computer is in a public space, semi-public space or entirely private space. If a browser, or browser plug-in, has a standardized way to let a site query session status, or be informed of session changes and per-machine policy, sites could be smarter about logging you out. That doesn’t mean your bank still should not be paranoid if you are logged in to a session where you can spend your money, but they can be more informed about it.
The first pitfall is privacy. We don’t want every site able to query this data, and we want to limit how much they can query it to avoid being tracked. That’s not hard to do, the hard thing is making a good UI. You might let all sites know your desktop activity status for up to some time limit, but have them demand you enable them for permission to know it at a deeper level. A console of “sites I am logged into as long as I don’t leave the computer for long” might be useful so you know just who is watching you could help.
Sites should also be more aware of “less privileged” and “more privileged” actions. For example, I might not mind having my airline let me log on all day to my account, letting others in the house sneak up to the computer and see how many miles I have. However, before the site would let me actually spend the miles, it should ask me for my password again if my inner “secure session” has expired. My bank does this, requiring my password again for money transfers, though it probably doesn’t need to do that if I just logged in 1 minute ago.
Browser hijacking is also a concern. If you’re logged into many sites where you can do something real, attackers who can hijack your browser may be able to use those sessions to do stuff. So the most important stuff still needs strong security — in fact stronger than we have now, since I think important things like large money transfers should probably use two factor authentication with your cell phone, even if done smoothly over bluetooth.
But the key point is that there isn’t just one right answer for how long a session at a site should be, and using just actions in that browser window as the timeout test is also clearly wrong, and we could make this a lot better.
Another security risk is people taking public computers and having them deliberately pretend to be private computers with sessions as long as possible. While you really should not be doing important stuff on public computers, nor logging in with your secret bank passwords, people sometimes feel the need for that (travel emergencies and flight bookings are major reasons) and the session timeout is intended to be a protection for that. Yes, you should check the “I am on a public computer” box but we would not want the session lengthening mechanism to be a weapon against this. That means that before a site will trust your computer when it says, “no really, I am still sitting here” you would have to authenticate to the site to have it trust your browser as well as having your browser know to trust the site. Annoying addition of UI, alas.