...say, after 15 minutes or so.
Every serious service/provider use automatic session expiration. You should implement this feature if you care about security of your real customers.
For others who do not want automatic session expiration you might implement "Remember me" or similar checkbox on login page.
Currently DigitalOcean keeps sessions even after closing web browser.
DigitalOcean isn't Facebook or Instagram and should provide every possible mechanism to improve users security.
IMO this is a security threat. If you want you can give the user the choice but at least make the default a finite value.
Browser session gives unlimited access to the infrastructure hosted at DO.
We really see this as a major threat to our production infrastructure.
Even more so with a trend of laptops being rebooted very rarely by programmers and admins. In practice, the session persists for many days, and of course one cannot rely on "sign out" being always used by all team members.
Please kindly implement an option to expire the session in a reasonable time frame (like 30 - 60 minutes).
A session management screen would be really good to have, so I can logout from some computer I've used to manage my droplets but doesn't have logged out.
Totally roll w/the crowd that believes that 15 mins. is waaaaaaaay too short
So this will be configurable? Personally I want my sessions to last longer. I work from home so I'm not to worried about others jumping on my computer.
I prefer Google's approach where they only ask you to verify your two factor authentication token every 30 days.
We have another request for this and we'll be implementing timeout values that customers can set =]
The current timeout is set to expire when you close your browser but we will be looking into implementing a timeout value that customers can choose themselves, most likely something like:
Browser (stay logged in while browser is open)
If anyone has any other suggestions let us know!
Not a good idea. I hate the "auto logout"!
Absolutely, yes. I keep my browser open for weeks. It scares me that someone could go to digitalocean.com/droplets on my laptop, and have the ability to destroy my entire infrastructure without even having to reenter my password.
Thanks for the feedback =]
I prefer infinite sessions.
I think the simplest solution will be to just let customers set their timeout values themselves.
This way those that like to stay logged in can do so, others can choose lower values.
Looking to get more feedback and discussion around this request before we implement any changes.
You won't be notified about changes to this idea.