User cookie authentication vs. Security

5 Jan 2010 - 6:49pm
4 years ago
5 replies
802 reads
Devin A. Brown8
2010

Hi,

I work for a very well-known publishing / corporate site that
attracts a high number of C-level global visitors. Our Security IT
department has has asked us to change our login procedures to
auto-log out user after 30 minutes (like a bank) as opposed to never
auto-expiring a login authentication cookie.

Unlike other online publications, we require a free one-tine login to
view 95% of the article after a preview "snippet" And we have a
high number of repeat visitors to our web site.

1) As anyone experienced the removing auto authentication and its
result to usability on website?

2) Are there any studies out there that talk to the balance of cookie
authentication vs. logging in every time?

Devin

Comments

6 Jan 2010 - 6:20am
Brian Mclaughlin
2008

As I am sure you are aware, there are different levels of any of
saving info.
Does the login screen need to be blank when a person is logged out
(either by choice or by system) or can there be trace information
left?

Example...
When returning to the login page:
- the person sees their name and password pre-populated
- the person sees their name pre-populated but no password
- the person sees 2 blank input areas

I do not have have any study info on any of these scenarios ...which
is what you are asking for... but what is allowed to remain on the
login area may play a part in all of this.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=48213

6 Jan 2010 - 8:52am
Dana Chisnell
2008

On Jan 5, 2010, at 3:49 PM, Devin A.Brown wrote:

> Hi,
>
> I work for a very well-known publishing / corporate site that
> attracts a high number of C-level global visitors. Our Security IT
> department has has asked us to change our login procedures to
> auto-log out user after 30 minutes (like a bank) as opposed to never
> auto-expiring a login authentication cookie.
>
> Unlike other online publications, we require a free one-tine login to
> view 95% of the article after a preview "snippet" And we have a
> high number of repeat visitors to our web site.
>
> 1) As anyone experienced the removing auto authentication and its
> result to usability on website?
>
> 2) Are there any studies out there that talk to the balance of cookie
> authentication vs. logging in every time?
>
> Devin
>

Devin,

It's about the experience you want your users to have. If you want
it to be smooth and happy - and for people to continue to return to
the site - keeping the cookie authentication is the way to go. When
people are logged out automatically, it takes more effort, which
presents an obstacle to doing something that is optional to them, and
they may not ever come back. This may be the desired outcome. That is,
it may be that your company wants to get more people to commit or go
away.

Dana

:: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: :: ::
Dana Chisnell
415.519.1148

dana AT usabilityworks DOT net

www.usabilityworks.net
http://usabilitytestinghowto.blogspot.com/

6 Jan 2010 - 9:08am
greg
2009

On Tue, Jan 5, 2010 at 8:49 AM, Devin A.Brown wrote:
> I work for a very well-known publishing / corporate site that
> attracts a high number of C-level global visitors.  Our Security IT
> department has has asked us to change our login procedures to
> auto-log out user after 30 minutes (like a bank) as opposed to never
> auto-expiring a login authentication cookie.

I think the "right" answer here will depend on some more details about
the site. Banks kick people off after 30 minutes because of the high
exposure associated with a session sticking around after the person
has left the computer: someone might steal their money. What
operations (if any) are possible on your site that reach the
importance of losing money?

If you can come up with a list of those actions that cause so much
concern to the Security IT folks then you can propose an alternative:
require users to re-authenticate if it's been more than 30 minutes
since they logged in and they are trying to do one of those
operations. In this hybrid approach your users will still be able to
easily access the articles you want them to read and yet the really
important operations will be protected. Your users may even thank you
for adding this security enhancement because it shows you care about
their assets.

If there aren't any really important operations that your visitors
take on your site then this sounds like a typical corporate top-down
mandate-for-mandate's-sake. And the best way I know to defeat those is
to get an ally high in the company to see your side of the story who
can fight against it ;)

Regards,
Greg

--
Greg Knaddison | 303-800-5623 | http://growingventuresolutions.com

6 Jan 2010 - 7:51pm
DampeS8N
2008

Interesting side note, at work a few days ago a co-worker went to log
into their bank. When they went to the log in page of the fresh and
new bank site, it saw the cookie from the old site and logged him in.
As someone else.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=48213

10 Jan 2010 - 10:39pm
Sean Gerety
2009

One of the things that we did on a recent project is to provide a message
that their session is about to expire and a button for them to click to
extend the session. Should they go beyond the allotted time for the
session, we show a message that asks for their password and we return them
to where they were in the application. None of this is done with cookies.

Cheers,

Sean

On Wed, Jan 6, 2010 at 11:51 AM, William Brall <dampee at earthlink.net> wrote:

> Interesting side note, at work a few days ago a co-worker went to log
> into their bank. When they went to the log in page of the fresh and
> new bank site, it saw the cookie from the old site and logged him in.
> As someone else.
>
>
> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
> Posted from the new ixda.org
> http://www.ixda.org/discuss?post=48213
>
>
> ________________________________________________________________
> Welcome to the Interaction Design Association (IxDA)!
> To post to this list ....... discuss at ixda.org
> Unsubscribe ................ http://www.ixda.org/unsubscribe
> List Guidelines ............ http://www.ixda.org/guidelines
> List Help .................. http://www.ixda.org/help
>

Syndicate content Get the feed