DO Ideas 2

Log out users after a couple of minutes

...say, after 15 minutes or so.

  • Padde
  • Sep 11 2018
  • Attach files
  • Maciej Jonasz commented
    September 11, 2018 19:06

    Every serious service/provider use automatic session expiration. You should implement this feature if you care about security of your real customers.

    For others who do not want automatic session expiration you might implement "Remember me" or similar checkbox on login page.

    Currently DigitalOcean keeps sessions even after closing web browser.

    DigitalOcean isn't Facebook or Instagram and should provide every possible mechanism to improve users security.

  • Marcin Domański commented
    September 11, 2018 19:06

    IMO this is a security threat. If you want you can give the user the choice but at least make the default a finite value.

  • Piotr Włodarek commented
    September 11, 2018 19:06

    Browser session gives unlimited access to the infrastructure hosted at DO.

    We really see this as a major threat to our production infrastructure.

    Even more so with a trend of laptops being rebooted very rarely by programmers and admins. In practice, the session persists for many days, and of course one cannot rely on "sign out" being always used by all team members.

    Please kindly implement an option to expire the session in a reasonable time frame (like 30 - 60 minutes).

  • Joel Wallis Jucá commented
    September 11, 2018 19:06

    A session management screen would be really good to have, so I can logout from some computer I've used to manage my droplets but doesn't have logged out.

  • Pablo commented
    September 11, 2018 19:06

    Totally roll w/the crowd that believes that 15 mins. is waaaaaaaay too short

  • Greg Fitzgerald commented
    September 11, 2018 19:06

    So this will be configurable? Personally I want my sessions to last longer. I work from home so I'm not to worried about others jumping on my computer.

    I prefer Google's approach where they only ask you to verify your two factor authentication token every 30 days.

  • Moisey Uretsky commented
    September 11, 2018 19:06

    We have another request for this and we'll be implementing timeout values that customers can set =]

  • Moisey Uretsky commented
    September 11, 2018 19:06

    The current timeout is set to expire when you close your browser but we will be looking into implementing a timeout value that customers can choose themselves, most likely something like:

    Browser (stay logged in while browser is open)
    3 hours
    12 hours
    24 hours
    1 week

    If anyone has any other suggestions let us know!

  • Nir Yemini commented
    September 11, 2018 19:06

    Not a good idea. I hate the "auto logout"!

    N

  • Mike commented
    September 11, 2018 19:06

    Absolutely, yes. I keep my browser open for weeks. It scares me that someone could go to digitalocean.com/droplets on my laptop, and have the ability to destroy my entire infrastructure without even having to reenter my password.

  • Moisey Uretsky commented
    September 11, 2018 19:06

    Thanks for the feedback =]

  • Christian Pekeler commented
    September 11, 2018 19:06

    No!

  • Christian Pekeler commented
    September 11, 2018 19:06

    I prefer infinite sessions.

  • Moisey Uretsky commented
    September 11, 2018 19:06

    I think the simplest solution will be to just let customers set their timeout values themselves.

    This way those that like to stay logged in can do so, others can choose lower values.

    Thanks

  • Moisey Uretsky commented
    September 11, 2018 19:06

    Looking to get more feedback and discussion around this request before we implement any changes.

    Thanks,
    Moisey