We have a default short session timeout of 10’ because we want to be sure that it is actually the real user who is performing the request (and not someone who has get access to the user computer). The short session timeout and refresh tries to verify the continuity of the usage of the application.
But this has the annoying effect that user needs to enter often his password even to perform request with low risk (like reading a party).
Indeed ideally, the level of trust in the user authentication depends of the request. For example, posting an invoice requires more trust than searching for a party. So it will be good to have two timeout, a long one used for low risk requests and a short one for high risk requests.
We increase the default timeout of the session to a higher default value (ex: 30 days).
We add a second timestamp on the session Model which is set when login and refresh on each request only if the last timestamp was before a new timeout. This new timeout is part of the configuration and is set to 10’ by default. We define on
RPC if the request must enforce the short timeout session. If it is the case and it is a session, then the second timestamp is checked in the dispatcher and aborted by UNAUTHORIZED.
We should activate this enforcement mainly on button which involves money like posting invoice or move, validate payments, sales or purchase.