473,396 Members | 1,998 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp.net > questions > session timeout security risk?

Join Bytes to post your question to a community of 473,396 software developers and data experts.

Session Timeout Security Risk?

Hi,
We have a page we want to refresh every 30 minutes so that users can
get up to date info. The problem is that there is information within
the session that we need in each refresh to determine what roles the
user belongs to so that we can get the data they need.

The page times out because we lose our session info after 20 minutes.
Resetting that timeout value is not an option (I've been told we
aren't allowed).

If I refresh the page every 15 minutes, the problem goes away.
However, I was told that is a security risk because I'm potentially
creating an infinite session timeout.

I'm curious for anyone out there that could help explain if indeed
this is a security risk and why?

May 2 '07 #1
2 2787
I can't see any security risk, whoever is running your site probably just
doesn't want infinite timeouts. I guess one security issue would be if the
person leaves their browsing running and walks off somewhere/has lunch/goes
to a long meeting.

"Doogie" <dn******@dtgnet.comwrote in message
news:11**********************@y5g2000hsa.googlegro ups.com...
Hi,
We have a page we want to refresh every 30 minutes so that users can
get up to date info. The problem is that there is information within
the session that we need in each refresh to determine what roles the
user belongs to so that we can get the data they need.

The page times out because we lose our session info after 20 minutes.
Resetting that timeout value is not an option (I've been told we
aren't allowed).

If I refresh the page every 15 minutes, the problem goes away.
However, I was told that is a security risk because I'm potentially
creating an infinite session timeout.

I'm curious for anyone out there that could help explain if indeed
this is a security risk and why?

May 2 '07 #2
you have two security risks, especially if session = autheincation.

1) the user leaves workstation and browser cache. someone else can
access. medium risk.

2) the more serious in your case, session hijacking. to hijack a session
all one needs is the sessionid. normally you'd check if the session
belongs to the user, but if session identifies the user you can't. then
all that is required to hijack a session, is to guess (easier if never
expires) or catch with a network sniffer.
-- bruce (sqlwork.com)
Doogie wrote:
Hi,
We have a page we want to refresh every 30 minutes so that users can
get up to date info. The problem is that there is information within
the session that we need in each refresh to determine what roles the
user belongs to so that we can get the data they need.

The page times out because we lose our session info after 20 minutes.
Resetting that timeout value is not an option (I've been told we
aren't allowed).

If I refresh the page every 15 minutes, the problem goes away.
However, I was told that is a security risk because I'm potentially
creating an infinite session timeout.

I'm curious for anyone out there that could help explain if indeed
this is a security risk and why?
May 2 '07 #3
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
Session variable VS HREF parameters...
by: +The_Taco+ | last post by:
I already use session variable in my project to set a session timeout when the user doesn't do anything for 10 minutes. When I call other pages, I often use parameters in HREF link. I was...
ASP.NET
8
Override Session Timeout
by: bdeviled | last post by:
I am deploying to a web environment that uses load balancing and to insure that sessions persist across servers, the environment uses SQL to manage sessions. The machine.config file determines how...
ASP.NET
4
Session problem
by: Igor | last post by:
I use session variables for login and some little data, but session time out will be 2-3 hours. If I have lot of visitors with long session time, can I be in trouble (or my server). Is it dangerous...
ASP.NET
2
Session Expiry - the session expired after a number of hours of inactivity, although Session Expiry was set to 24 hours
by: fijsolam1981 | last post by:
Hi, I had created a web application where Session expiry was set to 2,000 minutes in IIS. in web config i had given like this <sessionState timeout="2,000" mode="InProc"></sessionStatebut MY web...
C# / C Sharp
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
0
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General
0
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
Career Advice

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!