Shiva has been working on a new feature which will allow you to customize how long Remember Me lasts.  What is Remember Me?  It is the little checkbox on the login screen that remembers who you are so that you don't have to login everytime.  This is a great convenience but as always in the security versus convenience tradeoff - it isn't very secure.  Why isn't it secure?  Well, it grants that user on that computer (due to cookies) unlimited access to the account until they logout - this can be dangerous if you accidentally use Remember Me on a public computer or if your personal computer is stolen.  Currently you can mitigate this risk by turning off Remember Me entirely from the Configuration menu (if you are an admin) but then you lose ALL the convenience too.

The new feature introduces the concept of a timeout period.  This means that the Remember Me is only valid for a certain period of time.  The timeout can be specified in days, hours and minutes and can be anywhere from 1 minutes to 4085 years. :-) Of course, you will still be able to keep it unlimited if you choose.

I plan to change our company Secret Server installation to use a timeout of 24 hours.  This will require all employees to login once a day which doesn't seem like too much of a burden and definitely minimizes our exposure window.

This feature will be in the next update to be released in the next few weeks.

--Jonathan