cancel
Showing results for 
Search instead for 
Did you mean: 

Being logged out on a mobile device.

Moderator
Moderator
Posts: 17,251
Thanks: 904
Fixes: 104
Registered: 11-01-2008

Being logged out on a mobile device.

Four times today I've been logged out of the forum on my phone.

Stay logged in is checked.

IPhone 6s ios 9.3.1 chrome
Will Moderate For Thanks
21 REPLIES
Community Gaffer
Community Gaffer
Posts: 475
Thanks: 143
Fixes: 1
Registered: 11-05-2015

Re: Being logged out on a mobile device.

Have you been active in that time? As if you don't do anything for more than an hour the session expires - all part of our security measures.
Community Veteran
Posts: 1,990
Thanks: 5
Registered: 11-12-2013

Re: Being logged out on a mobile device.

Hi Liam, I was really worried plusnet would do something like this, its a policy with a false economy.

An hour also is an incredibly short period of time.

Why have a "stay logged in button" if it doesnt do what it says?

 

I understand the thinking may be well other sites do it so it must be the right thing to do, it isnt.

 

Forcing people to login frequently will encourage the following which are all bad for security.

 

Passwords that are weak so they easy to enter for the frequency they are needed.

Auto population of login fields.  Which is a trivial means to bypass your measure. (and no trying to forcefully block this is is a bad idea as well).

Passwords that are easy to remember, typically leading people to use passwords shared across multiple sites.

 

We also have to put this into perspective, the plusnet forum isnt a banking interface, its a discussion forum.   Requiring people to relogin every hour is way out of place for the content been accessed.

 

Community Gaffer
Community Gaffer
Posts: 475
Thanks: 143
Fixes: 1
Registered: 11-05-2015

Re: Being logged out on a mobile device.

It's something we need to keep an eye. People who understand the risks in terms of cyber security have told us what is best practice and considering everything we see going on, I'm keen to follow their advice.

However, as you say, I want to balance that with experience so let me see what we can do.

To be clear, it'll be the same on desktop too.
Community Veteran
Posts: 1,990
Thanks: 5
Registered: 11-12-2013

Re: Being logged out on a mobile device.

To be clear I am aware you are not alone in this, it wouldnt surprise me if its the same people that advised the other sites as well.

 

My work is also security focused, and I do come across practices which seem like that great but they not.  The only security compromise you are potentially blocking is in the case of shared devices and someone been able to access a forum account, possibly stealing the contact email address as well.  However this probably actually becomes a worse problem considering the side affects of forcing frequent logins.

 

 

My proposal for a middle ground, would be to add a login tick box (unticked by default) that asks if its a private device, if ticked, then the auto session terminations is much less aggressive, perhaps something like a month or a week.  I am a member of several forums and I have never heard of one having security related problems due to sessions lasting for long periods of time, many still remember "forever".

 

I havent checked but I hope plusnet have disabled pasting passwords in as well Wink

 

--edit--

 

checked you didnt block, thats good news, as blocking pasting of passwords is defenitly a false economy.

 

Hopefully some middle ground is agreed. Smiley

Superuser
Superuser
Posts: 2,590
Thanks: 978
Fixes: 8
Registered: 10-04-2007

Re: Being logged out on a mobile device.

I have only been accessing via my Desktop today and not been logged off - but at about the hourly interval I do seem to get reverted to the Welcome screen even when actively moving around the Forum.  So far I've put it down to 'User problem' but I'll pay a bit more attention tomorrow and see if it repeats.

 

Moderator
Moderator
Posts: 17,251
Thanks: 904
Fixes: 104
Registered: 11-01-2008

Re: Being logged out on a mobile device.

My laptop hasn't been logged out once an it was over 7 hours between usage.

my mobile device at ranged between 3 minutes and 2 hours between used.

Will Moderate For Thanks
Community Gaffer
Community Gaffer
Posts: 475
Thanks: 143
Fixes: 1
Registered: 11-05-2015

Re: Being logged out on a mobile device.

That's interesting, thanks @dvorak - we'll take a look.
ScottStorey
Aspiring Pro
Posts: 361
Thanks: 55
Fixes: 1
Registered: 21-02-2013

Re: Being logged out on a mobile device.

@dvorak industry recommendations can be incredibly low for session timeouts. Depending on the type of application and who's advice you take anywhere between 5-30 minutes is a common recommendation.

@chrcoluk there are more security implications beyond shared devices. There are also concerns around session fixation and session hijacking. Limiting the time a session is valid for helps mitigate against these by providing a smaller window in which a successful attack can be launched.

Are people looking for a few extra hours or days/weeks on the timeout?

I can have a sit down with @PlusnetLiam and see what we can figure out.
Community Veteran
Posts: 1,990
Thanks: 5
Registered: 11-12-2013

Re: Being logged out on a mobile device.

I would suggest you take a note of what the real big boys are doing.

 

Twitter

Facebook

Google/Youtube

 

No session timeouts.

 

e.g. I browsed to twitter today, not visited that site for several weeks and was no login prompt, logged in via cookies.

 

 

This advice is probably done on the basis of an assumption that the userbase is using out dated software and needs their hand held security wise.  I do respect a middle ground is probably best hence my suggestion.

In regards to session hijacking, that can be mitigated quite trivially and doesnt require methods such as short session times, I will consider sending you guys a PM on how to do this dependent on free time I have.

An ideal timeout is hard to say really, my suggestion is based on how often I would be visiting the site, so e.g. if I check this forum twice a week, then a timeout of one week would prevent me from been logged out.

 

I think what you should be trying to avoid is a situation, where a user posts content to a thread, they then do something else for a bit, they then get an email notification of a reply, and reload the site to read it, and possible do another reply, but then *bam* they need to login.  I think needing to relogin multiple times a day in this manner is too inconveniant for the end user and the security merits are very limited.

 

 

The only applications where really short session times are deemed important, is things like banking, paypal, corporate accounts, and premium content sites.  Netflix has premium content and will expire sessions but at 3 hours,.  Nowhere near that 5-30 min suggestion.  I dont think I have ever seen such a suggestion for discussion forum even tho I am seeing broadband isp's rollout such policies.  Steam expires sessions only if it detects a change in the browser or end user ip address. Otherwise they never expire unless the end user configures it.

 

An absolute minimum I would suggest is something like 3 hours. IF you really feel this is an important measure you cannot tolerate easing upon, but I think a much more sensible value is something in between 1 day and 1 month.

Superuser
Superuser
Posts: 10,016
Thanks: 1,549
Fixes: 19
Registered: 22-08-2007

Re: Being logged out on a mobile device.


PlusnetLiam wrote:
Have you been active in that time? As if you don't do anything for more than an hour the session expires - all part of our security measures.

@PlusnetLiam We raised this as a bug during testing - inexplicable loss of session - and I do not recall that we got to the bottom of it.  The suggestion that this is a "security measure" was not proffered at that time.  Has something been changed since pre-live testing?

Moderator
Moderator
Posts: 17,251
Thanks: 904
Fixes: 104
Registered: 11-01-2008

Re: Being logged out on a mobile device.

nor does it explain why a laptop session isn't logged out when not used in excess of 10 hours.
Will Moderate For Thanks
Community Veteran
Posts: 19,099
Thanks: 434
Fixes: 21
Registered: 31-08-2007

Re: Being logged out on a mobile device.

Just to advise that I logged in with my cheap LG phone last night via wifi and early this morning it was still connected and logged in. I'll try another phone later today.

@dvorak this wouldn't be your mobile network causing the problem would it, also are you roaming?

Moderator
Moderator
Posts: 17,251
Thanks: 904
Fixes: 104
Registered: 11-01-2008

Re: Being logged out on a mobile device.

well I was in Sweden, Denmark and the UK yesterday.. however it happened whilst within those countries connected to wifi and mobile networks. 

Will Moderate For Thanks
Community Veteran
Posts: 6,307
Thanks: 86
Fixes: 3
Registered: 08-01-2008

Re: Being logged out on a mobile device.

Obviously a mobile device could be changing networks / IP addresses, even when in a fixed location a mobile phone is more likely to 'totally drop' its wi-fi connection (for obvious battery charge life reasons) and 'disappear' from the outside world, could it simply be this behaviour that's causing the logouts?

Mine certainly seems more inclined to stay logged in while sitting at home (though it can hold sessions between locations too so my theories above are not at all strict even if remotely correct).

Call me 'w23'
At any given moment in the universe many things happen. Coincidence is a matter of how close these events are in space, time and relationship.
Opinions expressed in forum posts are those of the poster, others may have different views.