My specs says 30 days. I am about to argue for quite a longer ttl, something like 90 - 120 days. What do you think?
edit #1: This is for a standard website, not an intranet app.
My specs says 30 days. I am about to argue for quite a longer ttl, something like 90 - 120 days. What do you think?
edit #1: This is for a standard website, not an intranet app.
Its depends upon whos using the system. If its an employee of a company using his assigned computer regularly and one of the intranet site sets up "remember me" cookie it can be longer a year or more.
It Depends is the most natural answer. Additionally, we should also ask the user if it's a personal laptop or shared workstation or a public machine.
If Is it a social network or a mail portal or something similar than 2 weeks. in case of personal workstation >4 weeks. If it's a banking system then there's nothing like Remember Me and persistent auth. In fact session should be terminated for no activity in last 15 minutes.
So It depends.
My personal advice would be to do it as a combination of relatively-short expiration cookie with sliding expiration and a long expiration identity cookie.
The first part is your standard week/month-long expiration authentication ticket cookie, which you renew on each request or at certain time interval, or whatever other sliding expiration scheme you want to employ.
The second part is you remember the identity of the user in a half year/year-expiration cookie. This is not an authentication ticket, just an identity reminder, so that if the user returns after their session has expired, they get greeted and you might choose to show some non-sensitive personal information, like number of emails in inbox or anything like that, but to actually access any sensitive information, they need to authenticate themselves.
This will give your regular users (visiting every day or week) continuous never-expiring session, while still keeping the authentication tickets with relatively short time frame. At the same time, for people that return after more than a month, you can still give them a personalized experience, yet their account is secure. I don't think anyone would actually have a problem, if you ask them to authenticate to access certain parts of their account after a month of absence, even if they'd checked the remember me/remember my password checkboxes.