Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> Perhaps you used the shared computer in the library to access your web application, and forgot to log out.

> Is this a thing? Are shared computers without user separation a thing? If so, these shouldn’t be used to access web applications with sensitive information at all.

Yes, it is a thing.

I understand you would like it to not be a thing.



Heh, author gave a perfectly reasonable example of where use might be shared, and immediately asked "Is this a thing?".

Like, yes. It is. You literally JUST gave me an example of it.

Also this, shortly after:

> Are shared computers without user separation a thing? If so, these shouldn’t be used to access web applications with sensitive information at all

That "should" is doing a lot of heavy lifting. You don't decide which security controls to implement based on your best-behaved users.


It's not even about behaviour.

Some government services switching over to fully digital means there's a cohort of people being left behind. A decreasing number, sure, but a number nonetheless.

Effectively the author is saying poor people who need to use library PCs shouldn't get security.


The article bringing up that scenario and immediately dismissing it actually convinced me to change my opinion to the opposite of the article's thesis. I generally haven't seen the need for short session expirations in the past (when I've thought about it, which isn't often), but I hadn't thought about the shared-computer scenario before. Keeping that in mind, and knowing that it can't be handwaved away (as you point out), short sessions make more sense to me now.


It reminds me of when I didn't understand why my library account has such a short expiration time. Almost every time I open the library's website, I have to re-enter the password. Why? What's so important about a library account? Who's going to borrow a book on behalf of me?

And then I realized that logging into your library account is probably one of the most frequent things on all the shared computers in the library.


Even if it is a thing - after using a shared computer one MUST log out. If the 15 minute expiration time saved you then you're just damned lucky!


That's reasonable to do, but not necesarily to ask for What if you loose your internet connection and can't log out? Or have a power cut, or have to leave in a hurry, or drop dead on the keyboard while using the computer

Unfortunately for devs, RL is messy and even if you can convince some people to do the best thing, if you're large enough you have to go by Murphy's Law and work around the people that you know won't / can't


I have a feeling a lot of people get "lucky" a lot.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: