I am creating an e-commerce site. Long session timeouts would be really convenient for customers. I think the shortest acceptable timeout would be a week.
I read about the security risks of long session timeouts. However, it allows me to return to websites after a month and I'm still logged in. Sites like stackoverflow.com, gog.com, and g2a.com all use long session timeouts. What is the general rule about this?
Some sites use short session timeouts but automatically check a "Remember me" checkbox or use a token in a cookie with the same result. Is there any difference?
If you by default allow long session timeouts, then the risk is on shared computers - future user accesses the session of the current user. If you try to blame the user for not logging out, then you will find your user base dwindle and you will have to deal with a lot of end user complaints.
Best practice is to have short timeout by default, but allow an option 'remember me on this device' so that people can opt to long sessions if they are in a trusted environment. The golden rule is "secure by default".