We have been asked to consider extending our session timeouts for access to
web based services. We currently operate on the basis that the session
should expire after 20 minutes of inactivity, which we have always
understood is a resonable balance between security and usability.
We are currently integrating our web based login processes with access to
Shibboleth protected services. Is there a best practice recommendation for
session timeouts especially in the light of federated access management?