Session expiry

Discuss ideas and suggestions around the Church website.
Post Reply
sterlingb
New Member
Posts: 21
Joined: Sun Nov 30, 2008 1:33 pm

Session expiry

#1

Post by sterlingb »

I've noticed the session timeout on lds.org is pretty short. I find this to be counterproductive as I visit the site several times a day to get phone numbers or look up member information.

I can understand someone thinking it somehow increases security, but in reality all it does is force me to use my browser's ID caching to let me log in reasonably quickly. There's in fact no security benefit whatever to a short session timeout that I can think of.

Is it possible to get it increased?
jdlessley
Community Moderators
Posts: 9858
Joined: Mon Mar 17, 2008 12:30 am
Location: USA, TX

#2

Post by jdlessley »

I have no problems with this. But I check the 'Remember me?' box when I logon to create a never ending session cookie.
JD Lessley
Have you tried finding your answer on the ChurchofJesusChrist.org Help Center or Tech Wiki?
russellhltn
Community Administrator
Posts: 34417
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#3

Post by russellhltn »

How short is it? I think many web sites use something like 20 minutes for the session set on the web server itself. Unless you do a "Remember me" you'll always have to be logging back in. The only exception might be if there's active content on the screen that causes the browser to request periodic updates which function as a "keep alive".
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
eblood66
Senior Member
Posts: 3907
Joined: Mon Sep 24, 2007 9:17 am
Location: Cumming, GA, USA

#4

Post by eblood66 »

jdlessley wrote:I have no problems with this. But I check the 'Remember me?' box when I logon to create a never ending session cookie.

I've never seen a 'Remember me?' box for the main lds.org login. Where did you find that?
jdlessley
Community Moderators
Posts: 9858
Joined: Mon Mar 17, 2008 12:30 am
Location: USA, TX

#5

Post by jdlessley »

There is no 'Remember me?' for the main lds.org site now that I look at it. There is one for the forum. So I guess I can't say why I never have any problem with sessions expiring. For each site I visit that requires LDS Account logon I have never had a session expire. But then my activity on the site may keep the session timer updated.
JD Lessley
Have you tried finding your answer on the ChurchofJesusChrist.org Help Center or Tech Wiki?
User avatar
tomjoht
Member
Posts: 362
Joined: Tue Dec 21, 2010 12:48 pm
Location: Utah, USA
Contact:

#6

Post by tomjoht »

I'll ping the project manager about it. If I remember correctly, it was set short to prevent overloading the servers, though I'm not sure if that's the right answer anymore.
sterlingb
New Member
Posts: 21
Joined: Sun Nov 30, 2008 1:33 pm

#7

Post by sterlingb »

Thanks johnsonth.
User avatar
tomjoht
Member
Posts: 362
Joined: Tue Dec 21, 2010 12:48 pm
Location: Utah, USA
Contact:

#8

Post by tomjoht »

It turns out that sessions expire when you go from https to http. There's a fix planned for this that will be implemented in Q1 of 2012. If you don't cross from https to http, the max session timeout is 10 hours. Idle timeout is 60 minutes.
User avatar
MatthewEhle
New Member
Posts: 16
Joined: Fri Aug 12, 2011 2:07 pm
Location: Riverton, Utah

#9

Post by MatthewEhle »

johnsonth wrote:It turns out that sessions expire when you go from https to http. There's a fix planned for this that will be implemented in Q1 of 2012. If you don't cross from https to http, the max session timeout is 10 hours. Idle timeout is 60 minutes.

Right now, all the parts of lds.org that are SSO (single sign-on) can only have one timeout value. Thus, we have had to compromise on timeout values for sensitive applications (financials, member-leader, etc.) and those are less sensitive (scriptures, music, etc.). That's why lds.org may have a shorter timeout value than one would expect. There is no guarantee on this, but we are also looking at technology that will allow us to have different session timeouts for different parts of lds.org.

I'm glad you found that your issue came from the crossover from HTTPS to HTTP. I was partially responsible for implementing that security change. However, I'm not sure what fix you are referring to. Is there some part of lds.org that is redirecting or linking you to HTTP? The session loss when going to HTTP is an intentional change that we made earlier this summer, and there are no plans to change it.
Matthew Ehle
Access Management Engineer
Post Reply

Return to “Main Church Website”