diff --git a/lib/configuration.js b/lib/configuration.js
index 49f980cd2a1686c7a6a14bc07707ca93ce12d222..dfe32e81274208e23c8277d386c90a87a50e98cd 100644
--- a/lib/configuration.js
+++ b/lib/configuration.js
@@ -124,6 +124,10 @@ var conf = module.exports = convict({
     doc: "How long may a user stay signed?",
     format: 'integer = 1209600000'
   },
+  ephemeral_session_duration_ms: {
+    doc: "How long a user on a shared computer shall be authenticated",
+    format: 'integer = 300000'
+  },
   certificate_validity_ms: {
     doc: "For how long shall certificates issued by BrowserID be valid?",
     format: 'integer = 86400000'
diff --git a/lib/wsapi.js b/lib/wsapi.js
index e23a50ce9872722011262ece41da40e4e4cccbf0..78f43c548f2eff771de3cdda5c5f012d1df7f489 100644
--- a/lib/wsapi.js
+++ b/lib/wsapi.js
@@ -77,7 +77,7 @@ function bcryptPassword(password, cb) {
   });
 };
 
-function authenticateSession(session, uid, level) {
+function authenticateSession(session, uid, level, duration_ms) {
   if (['assertion', 'password'].indexOf(level) === -1)
     throw "invalid authentication level: " + level;
 
@@ -87,6 +87,9 @@ function authenticateSession(session, uid, level) {
       session.auth_level !== level) {
     logger.info("not resetting cookies to 'assertion' authenticate a user who is already password authenticated");
   } else {
+    if (duration_ms) {
+      session.setDuration(duration_ms);
+    }
     session.userid = uid;
     session.auth_level = level;
   }
diff --git a/lib/wsapi/auth_with_assertion.js b/lib/wsapi/auth_with_assertion.js
index 8781151358379e93e4f3e0bbe09c182c62b75667..b843d4614e44ad1260a02b1ba4f36db9873d9f8e 100644
--- a/lib/wsapi/auth_with_assertion.js
+++ b/lib/wsapi/auth_with_assertion.js
@@ -41,7 +41,8 @@ exports.process = function(req, res) {
         return db.emailToUID(email, function(err, uid) {
           if (err) return wsapi.databaseDown(res, err);
           if (!uid) return res.json({ success: false, reason: "internal error" });
-          wsapi.authenticateSession(req.session, uid, 'assertion');
+          wsapi.authenticateSession(req.session, uid, 'assertion',
+                                    req.ephemeral ? config.get('ephemeral_session_duration_ms') : undefined);
           return res.json({ success: true });
         });
       }
@@ -90,7 +91,8 @@ exports.process = function(req, res) {
           }
 
           logger.info("successfully created primary acct for " + email + " (" + r.userid + ")");
-          wsapi.authenticateSession(req.session, r.userid, 'assertion');
+          wsapi.authenticateSession(req.session, r.userid, 'assertion',
+                                    req.ephemeral ? config.get('ephemeral_session_duration_ms') : undefined);
           res.json({ success: true });
         });
       }).on('error', function(e) {
diff --git a/lib/wsapi/authenticate_user.js b/lib/wsapi/authenticate_user.js
index b1715a1b4c21fce281502e366ab4c1b47b8877fd..0abb15e73b370f9760ff14e65a4aa4adf4b3590c 100644
--- a/lib/wsapi/authenticate_user.js
+++ b/lib/wsapi/authenticate_user.js
@@ -16,7 +16,7 @@ statsd = require('../statsd');
 exports.method = 'post';
 exports.writes_db = false;
 exports.authed = false;
-exports.args = ['email','pass'];
+exports.args = ['email','pass', 'ephemeral'];
 exports.i18n = false;
 
 exports.process = function(req, res) {
@@ -59,7 +59,8 @@ exports.process = function(req, res) {
         } else {
           if (!req.session) req.session = {};
 
-          wsapi.authenticateSession(req.session, uid, 'password');
+          wsapi.authenticateSession(req.session, uid, 'password',
+                                    req.body.ephemeral ? config.get('ephemeral_session_duration_ms') : undefined);
           res.json({ success: true });
 
 
diff --git a/lib/wsapi/complete_user_creation.js b/lib/wsapi/complete_user_creation.js
index 882351b630f784c34528302de0682ff9870859fc..dca109d14da9a856d1ab7fc6792ec100a932a37c 100644
--- a/lib/wsapi/complete_user_creation.js
+++ b/lib/wsapi/complete_user_creation.js
@@ -50,7 +50,8 @@ exports.process = function(req, res) {
           // FIXME: not sure if we want to do this (ba)
           // at this point the user has set a password associated with an email address
           // that they've verified.  We create an authenticated session.
-          wsapi.authenticateSession(req.session, uid, 'password');
+          wsapi.authenticateSession(req.session, uid, 'password',
+                                    config.get('ephemeral_session_duration_ms'));
           res.json({ success: true });
         }
       });
diff --git a/package.json b/package.json
index 2a86e4b4d27c501247ba86a64eb4945666c497f3..fdddf56aa681ffeef5b1db0b6440f65f4879b41e 100644
--- a/package.json
+++ b/package.json
@@ -9,7 +9,7 @@
         "connect": "1.7.2",
         "convict": "0.0.6",
         "cjson": "0.0.6",
-        "client-sessions": "0.0.3",
+        "client-sessions": "0.0.4",
         "connect-cachify": "0.0.8",
         "connect-cookie-session": "0.0.2",
         "connect-logger-statsd": "0.0.1",