Background to question: We are building an online web application that requires the user to sign in. We will add the ability to "keep me signed in on this computer for x weeks."
Question:
What is the normal standard for how long you should allow a user to stay signed in for? * 2 weeks? * 4 weeks? * Forever?
And why? Is there a reason that we should not allow our users to stay signed in forever?
Thanks for your answers...
"Is there a reason that we should not allow our users to stay signed in forever?"
If you do that, a non authorized user that gets access to your account, can then stay signed forever, no matter if you change your password.
I don't know of standards but I think two weeks is a normal time lapse.
I don't know if there is a standard, really. It all depends on your application and security concerns. You don't want just anybody to be able to sit down at your computer and grab your credit card number while you're still logged in.
But Stackoverflow, for example, doesn't have the highest security concern regarding logins and it shouldn't. It's a big convenience that I don't have to sign in here for every visit.
On the other hand, my job involves developing & supporting a large online insurance application. It's a little more important that I keep it secure as we gather a lot of personal information. Of course, we don't gather credit card or social security numbers and we certainly don't want the login to time out in the middle of an application. So we went with a compromise of a 12 hour timeout tied to a session. This means that closing the browser has the effect of automatically logging out, or if you let the browser sit on the site for 12 hours you're logged out that way too.
And then at the far end of the spectrum you have your online banking sites which typically sign you out after about 20 minutes. This makes perfect sense as I can't think of a worse case scenario than somebody stealing all of my money all because online banking kept me logged in too long.
It depends.
My online banking won't let me remain signed in after I leave the site. But my email will sign me in automatically for two weeks, and StackOverflow (so far) has not asked me to re-sign in in a month of using it.
So, it depends on the type of application you are building.
The answer will depend on the acceptable balance of convenience versus security for your application.
High security applications such as online banking should probably never allow user to remain signed in.
For low security apps like email, it may be acceptable to allow user to remain signed on forever. However you should always make it an option for the user, and the option should state it should only be used if they are using a private computer (you would never want to do this on a shared or public computer).