Looking to get more feedback and discussion around this request before we implement any changes.

Thanks,
Moisey

I think the simplest solution will be to just let customers set their timeout values themselves.

This way those that like to stay logged in can do so, others can choose lower values.

Thanks

I prefer infinite sessions.

No!

Thanks for the feedback =]

Absolutely, yes. I keep my browser open for weeks. It scares me that someone could go to digitalocean.com/droplets on my laptop, and have the ability to destroy my entire infrastructure without even having to reenter my password.

Not a good idea. I hate the "auto logout"!

N

The current timeout is set to expire when you close your browser but we will be looking into implementing a timeout value that customers can choose themselves, most likely something like:

Browser (stay logged in while browser is open)
3 hours
12 hours
24 hours
1 week

If anyone has any other suggestions let us know!

We have another request for this and we'll be implementing timeout values that customers can set =]

So this will be configurable? Personally I want my sessions to last longer. I work from home so I'm not to worried about others jumping on my computer.

I prefer Google's approach where they only ask you to verify your two factor authentication token every 30 days.

Totally roll w/the crowd that believes that 15 mins. is waaaaaaaay too short

A session management screen would be really good to have, so I can logout from some computer I've used to manage my droplets but doesn't have logged out.

Browser session gives unlimited access to the infrastructure hosted at DO.

We really see this as a major threat to our production infrastructure.

Even more so with a trend of laptops being rebooted very rarely by programmers and admins. In practice, the session persists for many days, and of course one cannot rely on "sign out" being always used by all team members.

Please kindly implement an option to expire the session in a reasonable time frame (like 30 - 60 minutes).

IMO this is a security threat. If you want you can give the user the choice but at least make the default a finite value.

Every serious service/provider use automatic session expiration. You should implement this feature if you care about security of your real customers.

For others who do not want automatic session expiration you might implement "Remember me" or similar checkbox on login page.

Currently DigitalOcean keeps sessions even after closing web browser.

DigitalOcean isn't Facebook or Instagram and should provide every possible mechanism to improve users security.