your session has expired: the sorry state of web session timeouts
I used to work in a team managing an authentication infrastructure. It was based on Kerberos. We went with the default session length of 10 hours. The idea behind this default was: it's long enough for a work day including breaks, plus a bit. When stuff stops working because the user has been logged out, they are free to log in again if they really want, but maybe they also appreciate the reminder, that it's time to go home. The world of web site timeouts, for online banking, or anything finance related, is different. It's a race to the bottom. How quickly can you kick someone off the service, and still have them sometimes to achieve the thing they logged in to do? Because it might not be them! So better limit the time the not-them has to do stuff. Or maybe the them lets a not-them take over their session part way through. So better log them out just in case. This is all the wrong approach to authentication. Authenticatio...