Session expiry

Discuss ideas and suggestions around the LDS.org website.
sterlingb
New Member
Posts: 21
Joined: Sun Nov 30, 2008 1:33 pm

Session expiry

Postby sterlingb » Tue Aug 02, 2011 10:30 am

I've noticed the session timeout on lds.org is pretty short. I find this to be counterproductive as I visit the site several times a day to get phone numbers or look up member information.

I can understand someone thinking it somehow increases security, but in reality all it does is force me to use my browser's ID caching to let me log in reasonably quickly. There's in fact no security benefit whatever to a short session timeout that I can think of.

Is it possible to get it increased?

jdlessley
Community Moderators
Posts: 6526
Joined: Sun Mar 16, 2008 11:30 pm
Location: USA, TX

Postby jdlessley » Tue Aug 02, 2011 12:45 pm

I have no problems with this. But I check the 'Remember me?' box when I logon to create a never ending session cookie.
JD Lessley
Have you tried finding your answer on the LDS.org Help Center page or the LDSTech wiki?

russellhltn
Community Administrator
Posts: 20778
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Tue Aug 02, 2011 3:01 pm

How short is it? I think many web sites use something like 20 minutes for the session set on the web server itself. Unless you do a "Remember me" you'll always have to be logging back in. The only exception might be if there's active content on the screen that causes the browser to request periodic updates which function as a "keep alive".
Have you searched the Wiki?
Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

eblood66
Senior Member
Posts: 2030
Joined: Mon Sep 24, 2007 8:17 am
Location: Cumming, GA, USA

Postby eblood66 » Tue Aug 02, 2011 3:20 pm

jdlessley wrote:I have no problems with this. But I check the 'Remember me?' box when I logon to create a never ending session cookie.


I've never seen a 'Remember me?' box for the main lds.org login. Where did you find that?

jdlessley
Community Moderators
Posts: 6526
Joined: Sun Mar 16, 2008 11:30 pm
Location: USA, TX

Postby jdlessley » Tue Aug 02, 2011 9:21 pm

There is no 'Remember me?' for the main lds.org site now that I look at it. There is one for the forum. So I guess I can't say why I never have any problem with sessions expiring. For each site I visit that requires LDS Account logon I have never had a session expire. But then my activity on the site may keep the session timer updated.
JD Lessley
Have you tried finding your answer on the LDS.org Help Center page or the LDSTech wiki?

User avatar
johnsonth
Member
Posts: 362
Joined: Tue Dec 21, 2010 12:48 pm
Location: Utah, USA
Contact:

Postby johnsonth » Tue Aug 02, 2011 11:12 pm

I'll ping the project manager about it. If I remember correctly, it was set short to prevent overloading the servers, though I'm not sure if that's the right answer anymore.

sterlingb
New Member
Posts: 21
Joined: Sun Nov 30, 2008 1:33 pm

Postby sterlingb » Wed Aug 03, 2011 7:03 am

Thanks johnsonth.

User avatar
johnsonth
Member
Posts: 362
Joined: Tue Dec 21, 2010 12:48 pm
Location: Utah, USA
Contact:

Postby johnsonth » Thu Aug 04, 2011 2:11 pm

It turns out that sessions expire when you go from https to http. There's a fix planned for this that will be implemented in Q1 of 2012. If you don't cross from https to http, the max session timeout is 10 hours. Idle timeout is 60 minutes.

User avatar
matthewehle
New Member
Posts: 16
Joined: Fri Aug 12, 2011 1:07 pm
Location: Riverton, Utah

Postby matthewehle » Sat Aug 13, 2011 8:08 am

johnsonth wrote:It turns out that sessions expire when you go from https to http. There's a fix planned for this that will be implemented in Q1 of 2012. If you don't cross from https to http, the max session timeout is 10 hours. Idle timeout is 60 minutes.


Right now, all the parts of lds.org that are SSO (single sign-on) can only have one timeout value. Thus, we have had to compromise on timeout values for sensitive applications (financials, member-leader, etc.) and those are less sensitive (scriptures, music, etc.). That's why lds.org may have a shorter timeout value than one would expect. There is no guarantee on this, but we are also looking at technology that will allow us to have different session timeouts for different parts of lds.org.

I'm glad you found that your issue came from the crossover from HTTPS to HTTP. I was partially responsible for implementing that security change. However, I'm not sure what fix you are referring to. Is there some part of lds.org that is redirecting or linking you to HTTP? The session loss when going to HTTP is an intentional change that we made earlier this summer, and there are no plans to change it.
Matthew Ehle
Access Management Engineer


Return to “LDS.org Website”

Who is online

Users browsing this forum: No registered users and 1 guest