Hi Liam, I was really worried plusnet would do something like this, its a policy with a false economy.

An hour also is an incredibly short period of time.

Why have a "stay logged in button" if it doesnt do what it says?

I understand the thinking may be well other sites do it so it must be the right thing to do, it isnt.

Forcing people to login frequently will encourage the following which are all bad for security.

Passwords that are weak so they easy to enter for the frequency they are needed.

Auto population of login fields.  Which is a trivial means to bypass your measure. (and no trying to forcefully block this is is a bad idea as well).

Passwords that are easy to remember, typically leading people to use passwords shared across multiple sites.

We also have to put this into perspective, the plusnet forum isnt a banking interface, its a discussion forum.   Requiring people to relogin every hour is way out of place for the content been accessed.

To be clear I am aware you are not alone in this, it wouldnt surprise me if its the same people that advised the other sites as well.

My work is also security focused, and I do come across practices which seem like that great but they not.  The only security compromise you are potentially blocking is in the case of shared devices and someone been able to access a forum account, possibly stealing the contact email address as well.  However this probably actually becomes a worse problem considering the side affects of forcing frequent logins.

My proposal for a middle ground, would be to add a login tick box (unticked by default) that asks if its a private device, if ticked, then the auto session terminations is much less aggressive, perhaps something like a month or a week.  I am a member of several forums and I have never heard of one having security related problems due to sessions lasting for long periods of time, many still remember "forever".

I havent checked but I hope plusnet have disabled pasting passwords in as well

--edit--

checked you didnt block, thats good news, as blocking pasting of passwords is defenitly a false economy.

Hopefully some middle ground is agreed.

I have only been accessing via my Desktop today and not been logged off - but at about the hourly interval I do seem to get reverted to the Welcome screen even when actively moving around the Forum.  So far I've put it down to 'User problem' but I'll pay a bit more attention tomorrow and see if it repeats.

I would suggest you take a note of what the real big boys are doing.

Twitter

Facebook

Google/Youtube

No session timeouts.

e.g. I browsed to twitter today, not visited that site for several weeks and was no login prompt, logged in via cookies.

This advice is probably done on the basis of an assumption that the userbase is using out dated software and needs their hand held security wise.  I do respect a middle ground is probably best hence my suggestion.

In regards to session hijacking, that can be mitigated quite trivially and doesnt require methods such as short session times, I will consider sending you guys a PM on how to do this dependent on free time I have.

An ideal timeout is hard to say really, my suggestion is based on how often I would be visiting the site, so e.g. if I check this forum twice a week, then a timeout of one week would prevent me from been logged out.

I think what you should be trying to avoid is a situation, where a user posts content to a thread, they then do something else for a bit, they then get an email notification of a reply, and reload the site to read it, and possible do another reply, but then *bam* they need to login.  I think needing to relogin multiple times a day in this manner is too inconveniant for the end user and the security merits are very limited.

The only applications where really short session times are deemed important, is things like banking, paypal, corporate accounts, and premium content sites.  Netflix has premium content and will expire sessions but at 3 hours,.  Nowhere near that 5-30 min suggestion.  I dont think I have ever seen such a suggestion for discussion forum even tho I am seeing broadband isp's rollout such policies.  Steam expires sessions only if it detects a change in the browser or end user ip address. Otherwise they never expire unless the end user configures it.

An absolute minimum I would suggest is something like 3 hours. IF you really feel this is an important measure you cannot tolerate easing upon, but I think a much more sensible value is something in between 1 day and 1 month.

---

@PlusnetLiam wrote:
Have you been active in that time? As if you don't do anything for more than an hour the session expires - all part of our security measures.

---

@PlusnetLiam We raised this as a bug during testing - inexplicable loss of session - and I do not recall that we got to the bottom of it.  The suggestion that this is a "security measure" was not proffered at that time.  Has something been changed since pre-live testing?

Just to advise that I logged in with my cheap LG phone last night via wifi and early this morning it was still connected and logged in. I'll try another phone later today.

@dvorak this wouldn't be your mobile network causing the problem would it, also are you roaming?

well I was in Sweden, Denmark and the UK yesterday.. however it happened whilst within those countries connected to wifi and mobile networks. 

Obviously a mobile device could be changing networks / IP addresses, even when in a fixed location a mobile phone is more likely to 'totally drop' its wi-fi connection (for obvious battery charge life reasons) and 'disappear' from the outside world, could it simply be this behaviour that's causing the logouts?

Mine certainly seems more inclined to stay logged in while sitting at home (though it can hold sessions between locations too so my theories above are not at all strict even if remotely correct).