Essays mature
This idea is complete, spare the occasional tending.

series: Login Bingo

by Matthew Lyon  • 

It’s time to log in to the system to do the thing. Actually, you did that an hour ago, but you were logged out for “inactivity” even though you thought you were actively using the site. Maybe the system provided a warning and returned you to the login screen. Maybe it didn’t, and you tried interacting with it, and things are just failing for no reasons that aren’t clear until you decode the error messages. Maybe they just want you to log in every half an hour.

No matter the case, it’s apparently time to log in. Again.

Whatever the excuse, the experience of being logged out because you weren’t “active” enough is frustrating.

I was recently logged out of a government website trying to deal with paying taxes because I didn’t interact with the page for five minutes, while I was merely trying to look something up so I could do it correctly. There’s a paranoia to this pattern that is rarely justified.

I don’t think that paranoia is overblown — many people use public computers at libraries or computer labs for a variety of circumstances, and some of those people might not be very savvy in their security practices. If using government sites like the one I cited is one of the reasons for using the computer to begin with, well, perhaps this short session life is justified: you can’t necessarily rely on people signing out when they’re done, and you don’t want the next person who comes along to resume the active session.

This line of thought quickly gets into really thorny territory with no easy solutions. What if someone was shoulder surfing with nefarious intent, and resumes the previous person’s government site session before it expires fully? Perhaps you could use Session cookies — those with no Max-Age or Expires attribute — which are supposed to be cleared when the browser’s session ends? This relies on the browser on a public computer being configured correctly, and locked down to stay that way.

Which is all a sad artifact of how mainstream computing is centered on single-user systems. You can make many user accounts on modern operating systems, and I could envision a system where someone used their library card to access the computer, similar to using an ATM card. Maybe this is infeasible, and maybe anonymity is a feature, but we’re stuck with this greater context for the foreseeable future, and potentially sensitive systems which exist inside of them have to operate in those contexts.

To be clear: I believe there are contexts in which short sessions are well-justified, typically involving elevated privileges and catastrophic consequences. Those contexts probably also justify using the two person rule.

But short session life is still annoying, and that’s what Login Bingo is about. If you’re questioning whether you experienced a short enough session to mark this on your bingo card, you probably did.

If you’re going to limit sessions to short lives, please at least make the effort to let people know they’ve been signed out after the expiry time. Especially change the interface to prevent them from interacting with a system they’re no longer authenticated with, without being aware their authentication expired. Their session may be closed, but their tabs are not.