Can the Session Time Out for Inactive Admin Users be Changed? Session timeouts are a complex issue, mostly because they involve some tradeoffs and judgments. People usually want longer timeouts because logging in is a pain. We're not planning on making changes here, unless there's some compelling new argument. Here are the main pros and cons: Long sessions are more convenient because they reduce the number of logins, but: • They present a security risk (more time during which the session can be hijacked by various means). • They consume concurrent access licenses, since the privilege is maintained until the user logs out (rare) or the session expires. • They consume resources on the server (not really a significant issue right now). Shorter sessions are: • More secure against hijacking. • Release concurrencies more quickly (which is more accurate, as long as the web session is long enough to match a typical period of user work). • Bog the server down less. Our server has a single global session duration of 30 minutes. This is because we use the built- in session management of our application server. The fact that it doesn't offer more options out of the box reflects general practice across the net. We can't change this by site without doing some engineering that we don't see paying off in real improvement. That number is not written in stone by any specific technical factor, but 15-30 minutes has proven to be a practical balance of these for large publication sites. Concurrent access is the main driver here, but if we had longer sessions, security would overtake that quickly -- really long sessions (on the order of hours or days) basically require a secure web connection to be used for all traffic in order to be secure against hijacking.