Tech Forum

I've noticed the session timeout on lds.org is pretty short. I find this to be counterproductive as I visit the site several times a day to get phone numbers or look up member information.

I can understand someone thinking it somehow increases security, but in reality all it does is force me to use my browser's ID caching to let me log in reasonably quickly. There's in fact no security benefit whatever to a short session timeout that I can think of.

Is it possible to get it increased?

I have no problems with this. But I check the 'Remember me?' box when I logon to create a never ending session cookie.

How short is it? I think many web sites use something like 20 minutes for the session set on the web server itself. Unless you do a "Remember me" you'll always have to be logging back in. The only exception might be if there's active content on the screen that causes the browser to request periodic updates which function as a "keep alive".

jdlessley wrote:I have no problems with this. But I check the 'Remember me?' box when I logon to create a never ending session cookie.

I've never seen a 'Remember me?' box for the main lds.org login. Where did you find that?

There is no 'Remember me?' for the main lds.org site now that I look at it. There is one for the forum. So I guess I can't say why I never have any problem with sessions expiring. For each site I visit that requires LDS Account logon I have never had a session expire. But then my activity on the site may keep the session timer updated.

I'll ping the project manager about it. If I remember correctly, it was set short to prevent overloading the servers, though I'm not sure if that's the right answer anymore.

Thanks johnsonth.

It turns out that sessions expire when you go from https to http. There's a fix planned for this that will be implemented in Q1 of 2012. If you don't cross from https to http, the max session timeout is 10 hours. Idle timeout is 60 minutes.

johnsonth wrote:It turns out that sessions expire when you go from https to http. There's a fix planned for this that will be implemented in Q1 of 2012. If you don't cross from https to http, the max session timeout is 10 hours. Idle timeout is 60 minutes.

Right now, all the parts of lds.org that are SSO (single sign-on) can only have one timeout value. Thus, we have had to compromise on timeout values for sensitive applications (financials, member-leader, etc.) and those are less sensitive (scriptures, music, etc.). That's why lds.org may have a shorter timeout value than one would expect. There is no guarantee on this, but we are also looking at technology that will allow us to have different session timeouts for different parts of lds.org.

I'm glad you found that your issue came from the crossover from HTTPS to HTTP. I was partially responsible for implementing that security change. However, I'm not sure what fix you are referring to. Is there some part of lds.org that is redirecting or linking you to HTTP? The session loss when going to HTTP is an intentional change that we made earlier this summer, and there are no plans to change it.