When your first search comes up with nil, yes. I've had more than a few experiences where it took me three or four searches to find what I want. I understand the need for the security, but it's quite cumbersome as well.
It would make sense to lower the request timeout for registered users that make it past a certain number of posts just like other features. There are some problems with that:
1) The functionality to do so is not built into SMF, so someone would have to write a modification to do it.
2) Modifications/plugins/extensions usually open more security holes than they fix -- just look at the
CVE for Turdpress for proof of that since over 90% of the vulnerabilities since Wordpress 3 dropped are in the mods/plugins/extensions/whateverDevelopersAreCallingThemThisWeek. It's why when I was running things I only added forum modifications with an eyedropper.
3) Making modifications like that require documentation or an understanding of their application/making them distributable so as not to open up the even bigger security flaw of "neutering the upgrade path". This is what made phpBB 2.x so ridiculously vulnerable and resulted in the neverNoSanity (aka Santy) worm taking down two-thirds the Internet whether the sites were hosting phpBB or not. Just being on the same server as another phpBB installation at that time (over a decade ago now?) was enough to have you taken down.
See, phpBB didn't have even the most basic of functionality like avatars or attachments built in, so people used "mods" (or plugins or whatever you want to call them) to add that functionality. More people tried to use it as a CMS to run the front-end of their website and this all combined into a rather nasty situation where the functionality people wanted was incompatible with bugfixes (most of which plugged security holes) in the software... and there is NOTHING more dangerous than being on an outdated version of software where the exploits are known BECAUSE they were fixed. Turned out something like 80% or more of phpBB installs were still unpatched for a well documented vulnerability despite said patch having been out for something like 6 months.
The real laugh of neverNoSanity was that it exploited Google to search for other systems to infect by looking for the phpBB version string. I believe Google actually had to block the search string in order for the blasted thing to stop propagating like wildfire.
That one was so bad, I'm shocked anyone still uses phpBB -- BUT IT WASN'T THEIR FAULT. It was site owners not keeping up with patches and relying on mods that weren't future-proof that made so many systems vulnerable.
4) Something like a XSS exploit or MitM attack could still hijack a legitimate users login. One errant JS and all bets are off. THANKFULLY SMF does a pretty good job of sanitizing inputs
(now -- back on 1.6 there was a GAPING hole I was shocked even existed) so the XSS likelyhood is low... still does jack about "man in the middle" though, but that's true of any session/cookie based login no matter how many factors you get involved. Even HTTPS, the alleged fix for that is easily slapped aside by someone who knows what they are doing. :(
All that can be done on that is to reduce the window of possibility and increase the number of parameters checked. Tracking the IP address and UA string, PHP's
session_regenerate_id function, and a slew of other things can be added to reduce the window in which a MitM attack can occur, but it can never truly be prevented.
Part of what makes the Internet a bit of a lawless shantytown; Built on a house of cards atop a flimsy tray-table in a not to code shack sitting on pilings sunk into fill, that fill dumped into a high flow swampland with nothing in place to redirect the water to bypass it.
It's actually surprising how LITTLE the system breaks down given how it's quite literally hack atop hack atop hack atop -- well, to borrow from Ike -- ignorance, apathy, and wishful thinking.
