I'd like to solicit opinions of Web dev's and technically versed on security practices and associated risks surrounding Web session management.
I appreciate your time and feedback.
(There is a point to these questions, but I want to get opinions that are as unbiased as possible prior to revealing my reasoning)
Banking site used the questions below can and should be substituted for whatever site you feel has significantly high value for attack.
A better example is to think of a Bitcoin related site where the target value is very high.
1. Does the web site of your financial institution, specifically authenticated account area, allow persistent session tokens / ID across browser window sessions (closing tab/re-opening site)?
2. Does any web site of sufficient importance and sensitivity to you allow long, hours/days, session token expiration periods? (bitcointalk excluded
3. Would you feel comfortable with highly sensitive web sites, such as your online banking, not forcefully expiring sessions either on short (10 minutes) timer or at browser session termination?
4. Would you feel comfortable with a non technical person of close relationship to you using a sensitive web site that persists session ID's as defined above?
5. Do you feel that users of sensitive sites neglecting to use manual session management triggers (log-out) is a valid use case and should be planned for and countermeasures implemented?
Thanks.