[dobin]

"Thank got we set the session timeout to 5 minutes, or we would have been compromised" - no one ever.

I am in the 10-hour session timeout camp (or at least 4h, so you only have to authenticate twice a day). Session timeout checks are same sort of checkbox tests auditors (and pentesters) like, like password policy where you have to change it every 90 days. And about as effective.

What's missing in the article is the difference between soft- and hard session timeout (Soft: Reset upon user activity. Hard: session gets killed after X hours regardless of user activity).

[nottorp]

It really depends. I would certainly comment less often on HN if it logged me out at 4 hours.

For my online banking it's okay if they kick me out after 15-30 min.

[CSSer]

Agreed, but is it about the way you use online banking or is it about security? I think it's interesting to consider because at the point where "security" starts to impact UX, you have to really scrutinize the difference between what's actually making an impact on your security and what's just theater.

[nofunsir]

It literally prevents me from banking well. It’s not enough time to do banking tasks that require analysis or reading.