The main reason you would want short user sessions is if you can't be sure whether the end user device is adequately secured.
For example, if you're building a banking application, there's a huge monetary risk in allowing someone to potentially leave an open session on an unlocked shared computer.
Is this something that we could resolve with browser standards, for example the browser being able to provide some kind of a hint about how well secured the end user terminal is? Not cryptographic remote attestation or anything, just something simple like a header or API that would return some basic information such as whether the user has a screen lock with password enabled and whether the computer is a shared device or kiosk.
On Android, there is the KeyguardManager.isDeviceSecure method which provides this sort of functionality.
For example, if you're building a banking application, there's a huge monetary risk in allowing someone to potentially leave an open session on an unlocked shared computer.
Is this something that we could resolve with browser standards, for example the browser being able to provide some kind of a hint about how well secured the end user terminal is? Not cryptographic remote attestation or anything, just something simple like a header or API that would return some basic information such as whether the user has a screen lock with password enabled and whether the computer is a shared device or kiosk.
On Android, there is the KeyguardManager.isDeviceSecure method which provides this sort of functionality.