If you use sessions to track logins the session key acts as a password equivalent while the session is active. So if anyone can intercept that session key they can masquerade as the logged in user without knowing their actual password. Hence, sessions time out to improve security by giving only a small window that the session key can be used in.  This of course drives users crazy because they have to login again and again.

It occurs to me though, that if you’re using SSL and using cookies for the session key – it should be just as secure as basic authentication over SSL. The big exception is shared computers if the cookie lasts longer than a browser session. To handle shared computers you’d have a log out option and by default set the cookie to last only the length of the browser session.

Am I missing something or is it reasonable to have sessions that don’t time out if you know that the connection is over SSL and it’s not a shared computer? To avoid creating a session leak effect you may still want to time out sessions if they’re unused for a week or a month or something and obviously memory management comes in but that should be fairly manageable.

Is this done? Is it reasonable? What kind of security risks does it create? There’s certainly a lot of benefit to users…