So in this case, when short sessions are a clear negative for a lot of products, and we have existing examples of HUGE enterprise companies that have agreed and adjusted those sessions to be much longer for most cases...
I would argue that you are arguing to prioritize security over the goal of the product. Right here and right now - you are literally doing it.
> To obtain good enough security, defence in depth is still a good principle to follow.
I don't disagree! I just think that each "defense" needs to actually be considered on the whole, not as just another bonus to security. Short sessions SUUUUUUUUUCK. They make your product shitty. Users hate them. They don't add a ton of security.
Are there products that should still have them? Sure. Probably lots of products in VERY specific places. Should they be the default everywhere? Sure as hell not.
I would argue that you are arguing to prioritize security over the goal of the product. Right here and right now - you are literally doing it.
> To obtain good enough security, defence in depth is still a good principle to follow.
I don't disagree! I just think that each "defense" needs to actually be considered on the whole, not as just another bonus to security. Short sessions SUUUUUUUUUCK. They make your product shitty. Users hate them. They don't add a ton of security.
Are there products that should still have them? Sure. Probably lots of products in VERY specific places. Should they be the default everywhere? Sure as hell not.