469,935 Members | 1,600 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,935 developers. It's quick & easy.

Session Timeout Security Risk?

Hi,
We have a page we want to refresh every 30 minutes so that users can
get up to date info. The problem is that there is information within
the session that we need in each refresh to determine what roles the
user belongs to so that we can get the data they need.

The page times out because we lose our session info after 20 minutes.
Resetting that timeout value is not an option (I've been told we
aren't allowed).

If I refresh the page every 15 minutes, the problem goes away.
However, I was told that is a security risk because I'm potentially
creating an infinite session timeout.

I'm curious for anyone out there that could help explain if indeed
this is a security risk and why?

May 2 '07 #1
2 2531
I can't see any security risk, whoever is running your site probably just
doesn't want infinite timeouts. I guess one security issue would be if the
person leaves their browsing running and walks off somewhere/has lunch/goes
to a long meeting.

"Doogie" <dn******@dtgnet.comwrote in message
news:11**********************@y5g2000hsa.googlegro ups.com...
Hi,
We have a page we want to refresh every 30 minutes so that users can
get up to date info. The problem is that there is information within
the session that we need in each refresh to determine what roles the
user belongs to so that we can get the data they need.

The page times out because we lose our session info after 20 minutes.
Resetting that timeout value is not an option (I've been told we
aren't allowed).

If I refresh the page every 15 minutes, the problem goes away.
However, I was told that is a security risk because I'm potentially
creating an infinite session timeout.

I'm curious for anyone out there that could help explain if indeed
this is a security risk and why?

May 2 '07 #2
you have two security risks, especially if session = autheincation.

1) the user leaves workstation and browser cache. someone else can
access. medium risk.

2) the more serious in your case, session hijacking. to hijack a session
all one needs is the sessionid. normally you'd check if the session
belongs to the user, but if session identifies the user you can't. then
all that is required to hijack a session, is to guess (easier if never
expires) or catch with a network sniffer.
-- bruce (sqlwork.com)
Doogie wrote:
Hi,
We have a page we want to refresh every 30 minutes so that users can
get up to date info. The problem is that there is information within
the session that we need in each refresh to determine what roles the
user belongs to so that we can get the data they need.

The page times out because we lose our session info after 20 minutes.
Resetting that timeout value is not an option (I've been told we
aren't allowed).

If I refresh the page every 15 minutes, the problem goes away.
However, I was told that is a security risk because I'm potentially
creating an infinite session timeout.

I'm curious for anyone out there that could help explain if indeed
this is a security risk and why?
May 2 '07 #3

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

2 posts views Thread by +The_Taco+ | last post: by
8 posts views Thread by bdeviled | last post: by
4 posts views Thread by Igor | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.