bigfoot12
Member of DD Central
Posts: 1,817
Likes: 816
|
Post by bigfoot12 on Nov 11, 2014 15:42:05 GMT
chris, Colin, The site is 'logging me out' after a few seconds. I used quotes as it is a pop up saying I am logged out due to inactivity, but it doesn't actually log me out. I can still return to the dashboard, but no further.
|
|
bigfoot12
Member of DD Central
Posts: 1,817
Likes: 816
|
Post by bigfoot12 on Nov 11, 2014 15:46:08 GMT
It seems to be fine now. Thank you for fixing.
|
|
|
|
Post by chris on Nov 11, 2014 15:46:45 GMT
Yup, we know why (background service restarting, javascript not detecting this and thinking the session has timed out). Will have a fix up soon.
|
|
oldgrumpy
Member of DD Central
Posts: 5,087 
Likes: 3,233
|
Post by oldgrumpy on Nov 11, 2014 15:47:46 GMT
Make it an hour!!  |
|
mike
Member of DD Central
Posts: 187
Likes: 121
|
Post by mike on Nov 11, 2014 15:54:27 GMT
chris I raised this auto logged out issue weeks ago. In the meantime I've seen cosmetic changes made to the site (along with important ones too) but this most annoying of features still persists. Is it such a big deal to fix it?
|
|
|
|
Post by chris on Nov 11, 2014 16:03:50 GMT
chris I raised this auto logged out issue weeks ago. In the meantime I've seen cosmetic changes made to the site (along with important ones too) but this most annoying of features still persists. Is it such a big deal to fix it? It's not so much that it's a big deal to fix or change but that we're caught between what is considered best practice (and therefore what our auditors and regulators are likely to expect) and what *some* of our lenders want. The external advice I've had from one adviser who works in the banking industry was that we should be requiring 20 character passwords that change every 3 months and that sessions should time out after 5 minutes. Naturally I've pushed back on that as impractical but I do need to juggle all requirements. There's a definite usability issue when it comes to some API driven actions not refreshing the session that is fairly easy to fix, but of medium not high priority, and that will alleviate the issue. There's also a potential issue with background tabs and the way Javascript runs (or does not) in those that we're investigating and will fix soon.
|
|
mike
Member of DD Central
Posts: 187
Likes: 121
|
Post by mike on Nov 11, 2014 16:11:55 GMT
chris why don't you default to the 5 mins or whatever and allow the users to change it if they wish. Ratesetter has that facility.
|
|
|
|
Post by chris on Nov 11, 2014 16:18:28 GMT
chris why don't you default to the 5 mins or whatever and allow the users to change it if they wish. Ratesetter has that facility. Just because another platform does something we can't assume that this is acceptable practice - RS use the word saver in many places, for example, whereas we've had a letter from the FCA saying not to use that word or describe P2P as a method of saving money. Making it user configurable isn't as easy as setting a global value, several services would need to be made aware of this and look up the user's preference on each request in order to refresh the session for the correct time. It's likely to come, although I need to run it past our compliance officer, but it's going to be weeks not days before we get to that.
|
|
mike
Member of DD Central
Posts: 187
Likes: 121
|
Post by mike on Nov 11, 2014 16:21:44 GMT
chris thanks for the reply. I guess I'll have to soldier on,sob,sob, (:
|
|
bugs4me
Member of DD Central
Posts: 1,845
Likes: 1,478
|
Post by bugs4me on Nov 11, 2014 16:26:48 GMT
chris why don't you default to the 5 mins or whatever and allow the users to change it if they wish. Ratesetter has that facility. Just because another platform does something we can't assume that this is acceptable practice - RS use the word saver in many places, for example, whereas we've had a letter from the FCA saying not to use that word or describe P2P as a method of saving money. Making it user configurable isn't as easy as setting a global value, several services would need to be made aware of this and look up the user's preference on each request in order to refresh the session for the correct time. It's likely to come, although I need to run it past our compliance officer, but it's going to be weeks not days before we get to that. Gawd chris, the FCA - reminds me of the old FSA - damned if you do and....... OOI, does the FCA differentiate between P2P and P2B or is it all rolled up into one. IMO, AC are really into the P2B sector.
|
|
|
|
Post by bracknellboy on Nov 11, 2014 16:27:51 GMT
chris why don't you default to the 5 mins or whatever and allow the users to change it if they wish. Ratesetter has that facility. Just because another platform does something we can't assume that this is acceptable practice - RS use the word saver in many places, for example, whereas we've had a letter from the FCA saying not to use that word or describe P2P as a method of saving money. Making it user configurable isn't as easy as setting a global value, several services would need to be made aware of this and look up the user's preference on each request in order to refresh the session for the correct time. It's likely to come, although I need to run it past our compliance officer, but it's going to be weeks not days before we get to that. Most financial sites I use log me out after 20 minutes or indeed less in many cases. I accept it as part of general security practices.
|
|
|
|
Post by chris on Nov 11, 2014 16:30:53 GMT
Just because another platform does something we can't assume that this is acceptable practice - RS use the word saver in many places, for example, whereas we've had a letter from the FCA saying not to use that word or describe P2P as a method of saving money. Making it user configurable isn't as easy as setting a global value, several services would need to be made aware of this and look up the user's preference on each request in order to refresh the session for the correct time. It's likely to come, although I need to run it past our compliance officer, but it's going to be weeks not days before we get to that. Gawd, the FCA - reminds me of the old FSA - damned if you do and....... OOI, does the FCA differentiate between P2P and P2B or is it all rolled up into one. IMO, AC are really into the P2B sector. Don't get me wrong - I have no idea if the FCA will care about session timeout times on the site. However they are likely to care that we can justify our choices should it ever come up. The current choice is a balance between the advice we've been given, best practices from my own past experience, and what is practical. As I say before committing to a user configurable setting, which in itself is going to be a bit of work to do properly, I'd need to run it past our compliance officer. P2B isn't differentiated. The only differentiation, as I understand it, is between equity crowd lending, crowd funding, reward based crowd funding and donations.
|
|
bigfoot12
Member of DD Central
Posts: 1,817
Likes: 816
|
Post by bigfoot12 on Nov 11, 2014 17:00:26 GMT
chris why don't you default to the 5 mins or whatever and allow the users to change it if they wish. Ratesetter has that facility. and oldgrumpy and others could always use a password manager for AC. You log into your password manager (with a long password) and it automatically fills in your passwords for you. You can normally set the password manager timeout to any length you want. When AC logs you out, the password manager will automatically fill in your username and password, leaving you to click enter and fill in your additional security question. Some Password managers can handle the additional security question.
|
|
oldgrumpy
Member of DD Central
Posts: 5,087
Likes: 3,233
|
Post by oldgrumpy on Nov 11, 2014 17:07:34 GMT
Hi bigfoot12I've always been wary of asking my computers to remember any of my passwords, except for non money handling sites, just in case of machines being stolen or hacked into, not even with password manager software. Paranoid? |
|
|
|
Post by pepperpot on Nov 11, 2014 17:20:29 GMT
Hi bigfoot12I've always been wary of asking my computers to remember any of my passwords, except for non money handling sites, just in case of machines being stolen or hacked into, not even with password manager software. Paranoid? No, I'm the same, I use the much safer 'write them all down on sticky notes' method, hasn't gone wrong so far... 
|
|
