session management

  • user session inactivity timeout needs to be defined (if user always uses the thing then fine)
  • what about multi-sessions, can a user login twice from different IPs? do you want device logged-in management like facebook?

password policy

unless you are using an SSO e.g. CAS v5 within a tomcat container which would already comply with your policy,

  • compexity requirements or even forced random-generated
  • once password reseted, direct login? then browser does not remember updated one...
  • what about blocking the browser from remembering (Qualys security robot reports)?
  • magic login links and no passwords at all? + autologin + session never expires ?