Web Application best practice: ephemeral session or expiring sessions?
While working on an application using Node.js and Express, I was finding an interesting and perplexing issue in my UX testing. The application had session settings for "maxAge: 24 hours" and "ephemeral: true" - however I was finding that neither held to be true, my session appeared to always be available unless I actually logged out.
A little research confirmed that, at least with express-session, these 2 settings do not work together. Some deeper research turns up that in the UX world, ephemeral and expiring sessions are like oil and water, eg: what's the purpose of having a session that expires if you're going to kill it when the browser closes and vice-versa. I've been told that it would be a confusing UX to do both.
Now I'm trying to determine what would actually be the best user experience? I realize this may be application dependent. My application is a simple database management interface. Users login, can manage tables in a database and that's it.
Should I put a maxAge on the session and expire them for idle activity, or expire the session only when the browser closes? I suppose a short age expiration after a period of time, ALSO covers the browser being closed. On the other hand, a user may go inactive for a period of time, while leaving the browser open, with the intent of returning to it. What scenario provides the best end-user UX that would be the least confusing?