- user session inactivity timeout needs to be defined (if user always uses the thing then fine)
- what about multi-sessions, can a user login twice from different IPs? do you want device logged-in management like facebook?
unless you are using an SSO e.g. CAS v5 within a tomcat container which would already comply with your policy,
- compexity requirements or even forced random-generated
- once password reseted, direct login? then browser does not remember updated one...
- what about blocking the browser from remembering (Qualys security robot reports)?
- magic login links and no passwords at all? + autologin + session never expires ?