Page 3 of 5 FirstFirst 12345 LastLast
Results 21 to 30 of 44

Thread: Why can we not stay logged in?

  1. #21
    Join Date
    Jul 2008
    Location
    Seattle, WA
    Posts
    17,044

    Default Re: Why can we not stay logged in?

    On Fri, 14 Sep 2012 16:46:01 +0000, nrickert wrote:

    > I have to login after 8 hours, even if there was a lot of activity, with
    > the most recent activity perhaps only 30 minutes earlier.


    This should not actually be the case - 8 hours of inactivity in a session
    (but defined as inactivity related to accessing a protected resource,
    which is going to be either a private forum, posting a reply, or posting
    a new message).

    But everyone's use case is different - myself, I spend hours logged into
    Bugzilla for work related reasons. Those who process bugs tend to do
    that.

    Ultimately, there are two (possibly more) considerations to be made.
    First, that the project opted to use this user data store for a common
    login between services.

    Second, not everyone's use case is going to be the same, so customizing
    the interface to accommodate multiple conflicting use cases isn't going
    to happen.

    Take, for example, the use case of a user who doesn't want to maintain
    multiple different logins for different parts of the openSUSE project -
    because remembering multiple login IDs and passwords for those different
    parts is too difficult - and perhaps someone has registered their user ID
    on the forums.

    Or the user case of a user who posts in a forum, then goes to report a
    bug based on a discussion in the forums. It's "inconvenient" for that
    user to have to log in to bugzilla in order to report their bug or to
    update it after new information comes out in the forum.

    My own use case for the forums is quite different, as it would be for
    staff. The ability to perform administrative tasks means that there is a
    higher security need for those of us who do that, otherwise someone with
    access to the forums though one of our accounts could really hork things
    up for everyone.

    So I tend to access the forums myself only when performing administrative
    tasks (I use NNTP primarily otherwise), and I log off the forums (and all
    openSUSE/Novell/NetIQ/SUSE resources consequently) when I'm done.

    There are certainly pragmatic reasons why it isn't going to change more
    than it has - as I stated, we recognized that 2 hours was far too short a
    time for most users, and we've upped the timeout accordingly to something
    that those who manage the data could live with. The project desired a
    common authentication mechanism for all services that involve uniquely
    identifying individuals, and that system was in place and used by SUSE
    already.

    Should the project decide that the cons outweigh the pros, of course that
    would affect the forums, and we'd look at migrating to another
    authentication mechanism. But such a decision wouldn't be made lightly,
    nor would it be made (I would hope) without regard to the disruption that
    would be caused by forcing all users registered with the system(s) to re-
    register and re-validate who they are.

    Ultimately, I'm going to redirect everyone in this discussion to the
    sticky entitled "Why we won't implement your suggestion". While that
    post generally applies to interface tweaks and the like, the core also
    applies to the underlying security architecture.

    We do appreciate the feedback, of course. But it's important to
    understand that not everything is as simple as it looks like it should
    be, and while we have made accommodation to increase the timeout,
    removing it really isn't an option at this stage.

    Jim

    --
    Jim Henderson
    openSUSE Forums Administrator
    Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

  2. #22
    Join Date
    Jun 2008
    Location
    UK
    Posts
    5,500

    Default Re: Why can we not stay logged in?

    Quote Originally Posted by nrickert View Post
    That misstates the problem.

    I have to login after 8 hours, even if there was a lot of activity, with the most recent activity perhaps only 30 minutes earlier.
    Eight hours is a long time (you can set the alarm to wake up before that ) Thirty minutes is a long period of inactivity (I know there are long distractions) logging in again isn't that hard [on a good day]. However I agree with your other points.

  3. #23
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Why can we not stay logged in?

    On 2012-09-14 17:54, Jim Henderson wrote:
    > On Fri, 14 Sep 2012 11:58:07 +0000, Carlos E. R. wrote:


    > Carlos, you're bikeshedding.


    No, Jim, I'm not, but you are too involved and you do not see the other side of the argument;
    you appear to take it as some kind of attack, and that is far from my intention.

    I do understand why the forum login is how it is, and that it is not going to change. But I
    think that the original decision to use the same login as for bugzilla was a mistake. It
    doesn't affect me, anyway.

    I will leave the discussion because I don't want to distress you more.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 12.1 x86_64 "Asparagus" at Telcontar)

  4. #24
    Join Date
    Jul 2008
    Location
    Seattle, WA
    Posts
    17,044

    Default Re: Why can we not stay logged in?

    On Fri, 14 Sep 2012 21:58:07 +0000, Carlos E. R. wrote:

    > On 2012-09-14 17:54, Jim Henderson wrote:
    >> On Fri, 14 Sep 2012 11:58:07 +0000, Carlos E. R. wrote:

    >
    >> Carlos, you're bikeshedding.

    >
    > No, Jim, I'm not, but you are too involved and you do not see the other
    > side of the argument;


    I do see the other side of the argument. I've tried to explain why
    things are the way they are and why they're not likely to change.

    > you appear to take it as some kind of attack, and that is far from my
    > intention.


    Far from it.

    > I do understand why the forum login is how it is, and that it is not
    > going to change. But I think that the original decision to use the same
    > login as for bugzilla was a mistake. It doesn't affect me, anyway.


    Which is essentially the definition of "bikeshedding" - you know why
    things are the way they are, you know that it's not likely to change, but
    you want to continue to revisit the original decision and talk about it/
    debate it even though the discussion isn't going to affect anything
    because the decision is out of your hands and mine.

    Even if I agreed that it made sense to change it, that wouldn't change
    that it isn't likely to change.

    I've only been doing network security for ~20 years, and while my view
    certainly isn't the only view on how security should be done, I do have
    both the background and the knowledge of how things are set up in the
    openSUSE infrastructure regarding authentication to speak from a position
    of some knowledge on the topic.

    Jim
    --
    Jim Henderson
    openSUSE Forums Administrator
    Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

  5. #25
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Why can we not stay logged in?

    On 2012-09-15 01:13, Jim Henderson wrote:
    > On Fri, 14 Sep 2012 21:58:07 +0000, Carlos E. R. wrote:


    I said I would not answer and I will not.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 12.1 x86_64 "Asparagus" at Telcontar)

  6. #26

    Default Re: Why can we not stay logged in?

    Jim Henderson wrote:
    > My own use case for the forums is quite different, as it would be for
    > staff. The ability to perform administrative tasks means that there is a
    > higher security need for those of us who do that, otherwise someone with
    > access to the forums though one of our accounts could really hork things
    > up for everyone.
    >
    > So I tend to access the forums myself only when performing administrative
    > tasks (I use NNTP primarily otherwise), and I log off the forums (and all
    > openSUSE/Novell/NetIQ/SUSE resources consequently) when I'm done.


    The text above illustrates very well the problem everybody is
    describing. Significantly, IMO, it nowhere includes the word 'role',
    which is screaming to be heard.

    The security policy is set to be appropriate for administrative actors
    and is set for good reasons for those actors, AFAICT.

    It is also clearly set to be too strict for ordinary users, as witness
    the continuing 'bikeshedding' as you call it. Perhaps your own usage of
    the 'workaround' - NNTP - also illustrates this, but maybe that's just
    preference.

    So at present the administrative tail is wagging the community dog.

    Even something as ancient as UNIX split the role of ordinary user from
    that of administrator.

    Even ordinary users may well close their browser a lot more frequently
    than they wish to close their forum session. If they have a higher
    security role - say that of bank customer, or perhaps even employee or
    administrator of some other web-based function, they may well want to
    close their browser before and/or after such a session.

  7. #27
    Join Date
    Jul 2008
    Location
    Seattle, WA
    Posts
    17,044

    Default Re: Why can we not stay logged in?

    On Mon, 17 Sep 2012 10:31:42 +0000, Dave Howorth wrote:

    > It is also clearly set to be too strict for ordinary users, as witness
    > the continuing 'bikeshedding' as you call it. Perhaps your own usage of
    > the 'workaround' - NNTP - also illustrates this, but maybe that's just
    > preference.


    Yes, that's just a preference - I've been using NNTP and text-based
    message systems for much longer than web-based forums have been around.

    I find it works best for my way of working.

    Thanks for your input.

    Jim



    --
    Jim Henderson
    openSUSE Forums Administrator
    Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

  8. #28

    Default Re: Why can we not stay logged in?

    There's one point I want to clarify:

    The session timeout is designed to be an "idle" timeout, which means that it applies only if you have not done anything in the site for that session period. I am aware of an issue where if you are browsing around the public portions of forums, even when authenticated, the SSO service is not resetting your idle timeout as one might expect it to. The end result is that you are being treated by the system as idle when you shouldn't be, and you could lose your session unexpectedly after 6-8 hours. We are considering this a bug that needs to be addressed. The issue is a little complex, but we are discussing a couple of possible solutions that will make it so you have to be truly idle in order to lose your session.

  9. #29
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,193
    Blog Entries
    1

    Default Re: Why can we not stay logged in?

    Thanks for making that clarification Matthew. If this issue can be corrected with the idle timeout, I think the many arguments made here about the session timeouts would be nullified

  10. #30
    Join Date
    Jun 2008
    Location
    UK
    Posts
    5,500

    Default Re: Why can we not stay logged in?

    Quote Originally Posted by deano_ferrari View Post
    Thanks for making that clarification Matthew. If this issue can be corrected with the idle timeout, I think the many arguments made here about the session timeouts would be nullified
    Nullified? I hope you meant "satisfied".

Page 3 of 5 FirstFirst 12345 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •