What is more secure concerning Cookies expiration time?

Question

Concerning cookies expiration time what is the best practice for a secure application ?

The login system is a SSO that I can't manage, so the ["remember me"][1] option is not possible.

There are 2 solutions

1. Time expiration, the cookie would expire after a specific amount of time, i.e. 4 hours. But if the user use a shared computer and forgot to log out, another user could access the web application.
2. Session expiration, the cookie would expire after the web browser is closed (or [even worse][2]. But what if the user never close his session and always keep is computer turned on. The cookie would never expire even if the user doesn't need access to the web application.

Is there not a way to do both at the same time? Base the cookie expiration on the session with a maximum duration of time...

NB : Believing in a security aware user is a sweet dream, thus trust in the user log out is not feasible.

. [1]: What is an acceptable expiration time for a cookie [2]: When does a cookie with expiration time 'At end of session' expire?

Answer 1

Since no one else has taken a stab at this question, I'll hopefully get the ball rolling, lol. I'm not sure if this will exactly answer your question, but I'll try my best :).

I think that given the 2 solutions you have presented, along with the dependency of the user behavior, I really don't think there is a good answer in terms of "best practice" (which may also be subjective).

If both solutions were used (that is, a cookie that expires after a specific amount of time [i.e, 4 hours] OR at the end of a session) you would also take on the "con's" of each of those approaches. So, if the user forgets to log out within the expiration period and does not close their session, there is an issue.

So what I am saying is that in any case, the security is based on the user behavior and there will always be these flaws. Using a mix of solutions (defense-in-depth), as you have suggested, is a good line of thinking.