When you think of web development, you might not consider user control systems or session lengths. However, these are important web development considerations when you are looking at web authentication, session management and access control.
What is a web session? A web session is a sequence of network HTTP request and response transactions that are associated to the same user. Web applications generally require the retention of information or status about users for the duration of multiple requests.
As a result, sessions are used to provide the ability to establish variables. Variables are often used to establish access rights and localization settings that apply to each interaction a user has with a web application for the duration of a given session. Sessions are useful in applying security access controls, authorizing access to private user data and increasing the usability of applications.
Applications typically have session capabilities pre and post authentication. So what’s the right session length? Security is often a concern with applications post authentication. Therefore, configuring session idle timeout is important. The right session length for an idle timeout can be configured to anything. However, the timeout period is 30 minutes by default. This is a good rule of thumb.
Applications with a higher security risk should have a smaller timeout period. You can configure the session length between 5 and 90 minutes depending on the level of security you desire. For the most secure applications, you might want to use a 5 minute session timeout. Just keep in mind that short timeout periods can be a real hassle for users, so use your judgement to find the right balance.
Your web development professional will be able to help you further determine what the right session length is for your web application. Every application is different, but a seasoned web developer will be able to provide informed recommendations to make your user control systems user-friendly and secure.