473,800 Members | 2,413 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Session Timeout Security Risk?

Hi,
We have a page we want to refresh every 30 minutes so that users can
get up to date info. The problem is that there is information within
the session that we need in each refresh to determine what roles the
user belongs to so that we can get the data they need.

The page times out because we lose our session info after 20 minutes.
Resetting that timeout value is not an option (I've been told we
aren't allowed).

If I refresh the page every 15 minutes, the problem goes away.
However, I was told that is a security risk because I'm potentially
creating an infinite session timeout.

I'm curious for anyone out there that could help explain if indeed
this is a security risk and why?

May 2 '07 #1
2 2812
I can't see any security risk, whoever is running your site probably just
doesn't want infinite timeouts. I guess one security issue would be if the
person leaves their browsing running and walks off somewhere/has lunch/goes
to a long meeting.

"Doogie" <dn******@dtgne t.comwrote in message
news:11******** **************@ y5g2000hsa.goog legroups.com...
Hi,
We have a page we want to refresh every 30 minutes so that users can
get up to date info. The problem is that there is information within
the session that we need in each refresh to determine what roles the
user belongs to so that we can get the data they need.

The page times out because we lose our session info after 20 minutes.
Resetting that timeout value is not an option (I've been told we
aren't allowed).

If I refresh the page every 15 minutes, the problem goes away.
However, I was told that is a security risk because I'm potentially
creating an infinite session timeout.

I'm curious for anyone out there that could help explain if indeed
this is a security risk and why?

May 2 '07 #2
you have two security risks, especially if session = autheincation.

1) the user leaves workstation and browser cache. someone else can
access. medium risk.

2) the more serious in your case, session hijacking. to hijack a session
all one needs is the sessionid. normally you'd check if the session
belongs to the user, but if session identifies the user you can't. then
all that is required to hijack a session, is to guess (easier if never
expires) or catch with a network sniffer.
-- bruce (sqlwork.com)
Doogie wrote:
Hi,
We have a page we want to refresh every 30 minutes so that users can
get up to date info. The problem is that there is information within
the session that we need in each refresh to determine what roles the
user belongs to so that we can get the data they need.

The page times out because we lose our session info after 20 minutes.
Resetting that timeout value is not an option (I've been told we
aren't allowed).

If I refresh the page every 15 minutes, the problem goes away.
However, I was told that is a security risk because I'm potentially
creating an infinite session timeout.

I'm curious for anyone out there that could help explain if indeed
this is a security risk and why?
May 2 '07 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
2
2501
Session variable VS HREF parameters...
by: +The_Taco+ | last post by:
I already use session variable in my project to set a session timeout when the user doesn't do anything for 10 minutes. When I call other pages, I often use parameters in HREF link. I was wondering if it was better to pass parameter from page to page as session variable instead of doing it in HREF link? Thx for the hint !
ASP.NET
8
5500
Override Session Timeout
by: bdeviled | last post by:
I am deploying to a web environment that uses load balancing and to insure that sessions persist across servers, the environment uses SQL to manage sessions. The machine.config file determines how all applications will use sessions and to insure that all application use this method, the session properties cannot be overriden. Within the sessionstate tags, the webadmin (upon my request)r emoved the property for timeout, hoping that...
ASP.NET
4
332
Session problem
by: Igor | last post by:
I use session variables for login and some little data, but session time out will be 2-3 hours. If I have lot of visitors with long session time, can I be in trouble (or my server). Is it dangerous or to hard for server or session is only on the client machine?
ASP.NET
2
3086
Session Expiry - the session expired after a number of hours of inactivity, although Session Expiry was set to 24 hours
by: fijsolam1981 | last post by:
Hi, I had created a web application where Session expiry was set to 2,000 minutes in IIS. in web config i had given like this <sessionState timeout="2,000" mode="InProc"></sessionStatebut MY web application was left logged in at 18:00 15th Oct, but on the following day 08:30 16th Oct, the session expired as soon as MY web application was used. It was also noted that during the day, MY web application occasionally got session expiry when...
C# / C Sharp
0
9690
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
General
0
10505
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
C / C++
0
9085
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
Career Advice
1
7576
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
Microsoft Access / VBA
0
6811
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
C# / C Sharp
0
5471
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
Networking - Hardware / Configuration
0
5606
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
1
4149
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
C# / C Sharp
2
3764
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us