Professional Web Applications Themes

Question about a long session timeout (somewhat long) - ASP.NET Security

I've been told by my developers to increase the asp.net session timeout to 72 hours. Being a server guy, it concerns me because of the obvious potential for denial of service due to resource consumption. Basically, it is an asp.net application that runs ssl and may take some personal information. They have not yet put in membership functionality to allow the user to save their work so my thought is that they're trying to get around it but increasing the timeout thus keeping the user from losing their work. Anyone with common sense knows it's wrong, but... Can someone help ...

  1. #1

    Default Question about a long session timeout (somewhat long)

    I've been told by my developers to increase the asp.net session timeout
    to 72 hours. Being a server guy, it concerns me because of the obvious
    potential for denial of service due to resource consumption.
    Basically, it is an asp.net application that runs ssl and may take some
    personal information.

    They have not yet put in membership functionality to allow the user to
    save their work so my thought is that they're trying to get around it
    but increasing the timeout thus keeping the user from losing their
    work.

    Anyone with common sense knows it's wrong, but...

    Can someone help me mount a case to not allow this due to security
    concerns and maybe offer some solutions bearing in mind that they do
    not plan on adding any kind of membership functionality in the near
    future?

    Maybe I do not fully understand session timeouts versus expiring a
    page.

    Any comments would be greatly appreciated...

    Chris

    Stupid48 Guest

  2. #2

    Default Re: Question about a long session timeout (somewhat long)

    Why don't you just ask them why they want such a long timeout value?

    Cheers
    Ken


    "Stupid48" <cf_richhotmail.com> wrote in message
    news:1110948389.226027.100140z14g2000cwz.googlegr oups.com...
    : I've been told by my developers to increase the asp.net session timeout
    : to 72 hours. Being a server guy, it concerns me because of the obvious
    : potential for denial of service due to resource consumption.
    : Basically, it is an asp.net application that runs ssl and may take some
    : personal information.
    :
    : They have not yet put in membership functionality to allow the user to
    : save their work so my thought is that they're trying to get around it
    : but increasing the timeout thus keeping the user from losing their
    : work.
    :
    : Anyone with common sense knows it's wrong, but...
    :
    : Can someone help me mount a case to not allow this due to security
    : concerns and maybe offer some solutions bearing in mind that they do
    : not plan on adding any kind of membership functionality in the near
    : future?
    :
    : Maybe I do not fully understand session timeouts versus expiring a
    : page.
    :
    : Any comments would be greatly appreciated...
    :
    : Chris
    :


    Ken Schaefer Guest

  3. #3

    Default Re: Question about a long session timeout (somewhat long)


    Ken Schaefer wrote:
    > Why don't you just ask them why they want such a long timeout value?
    >
    > Cheers
    > Ken
    >
    >
    Ahh, well, sometimes management has a little bit more control than we
    would like. I suppose they have some notion that the internet is
    totally reliable and someone can leave their browser open for a day and
    not lose their connection. The system is a job application thus it
    requires alot of time to fill in.

    Stupid48 Guest

  4. #4

    Default Re: Question about a long session timeout (somewhat long)

    Hi,

    Sure, but you want to build a case against this change. So, first try to
    work out what's driving the change:
    a) why do they want it?
    b) why does it have to be 72 hours?

    You might find that 1 hour would be sufficient. Or you may be able to build
    some kind of alternative compromise that can keep you, and them, happy. But
    at the moment all you've posted is "I think they're doing it because of
    this", so you're speculating as to their motives. Perhaps they actually want
    to achieve something else, and the sessiont timeout change won't have any
    benefit to them at all!

    Cheers
    Ken


    "Stupid48" <cf_richhotmail.com> wrote in message
    news:1110986035.945570.193320l41g2000cwc.googlegr oups.com...
    :
    : Ken Schaefer wrote:
    : > Why don't you just ask them why they want such a long timeout value?
    : >
    : > Cheers
    : > Ken
    : >
    : >
    : Ahh, well, sometimes management has a little bit more control than we
    : would like. I suppose they have some notion that the internet is
    : totally reliable and someone can leave their browser open for a day and
    : not lose their connection. The system is a job application thus it
    : requires alot of time to fill in.
    :


    Ken Schaefer Guest

  5. #5

    Default Re: Question about a long session timeout (somewhat long)

    Well, I know why they want to do it. This app was promised to HR but
    they did not have anyone build in any membership functionality. Now,
    to save thier a$$es, they want to set an extended session timeout so
    the user can walk away from their PC for a while and not lose the stuff
    the typed in. I got them down to 24 hours so far. They are stuck on
    this and since they are management, I have no say unless I can bring
    some security or technical reasons to the table. i.e. The user's
    social security number is at risk because the session is staying open
    for 3 days. Being that I'm just a server guy, I need some help more on
    the dev side of things. But their motives are definetely that they
    think a long timeout will keep the user from losing the data they
    already typed in.

    Ken Schaefer wrote:
    > Hi,
    >
    > Sure, but you want to build a case against this change. So, first try
    to
    > work out what's driving the change:
    > a) why do they want it?
    > b) why does it have to be 72 hours?
    >
    > You might find that 1 hour would be sufficient. Or you may be able to
    build
    > some kind of alternative compromise that can keep you, and them,
    happy. But
    > at the moment all you've posted is "I think they're doing it because
    of
    > this", so you're speculating as to their motives. Perhaps they
    actually want
    > to achieve something else, and the sessiont timeout change won't have
    any
    > benefit to them at all!
    >
    > Cheers
    > Ken
    Stupid48 Guest

  6. #6

    Default Re: Question about a long session timeout (somewhat long)

    That being the case, wouldn't you be best served by changing the
    application to include a "Load" & "Save" button that will save the data in a
    database for later recall?

    Ignus

    "Stupid48" <cf_richhotmail.com> wrote in message
    news:1111080699.970649.125860z14g2000cwz.googlegr oups.com...
    > Well, I know why they want to do it. This app was promised to HR but
    > they did not have anyone build in any membership functionality. Now,
    > to save thier a$$es, they want to set an extended session timeout so
    > the user can walk away from their PC for a while and not lose the stuff
    > the typed in. I got them down to 24 hours so far. They are stuck on
    > this and since they are management, I have no say unless I can bring
    > some security or technical reasons to the table. i.e. The user's
    > social security number is at risk because the session is staying open
    > for 3 days. Being that I'm just a server guy, I need some help more on
    > the dev side of things. But their motives are definetely that they
    > think a long timeout will keep the user from losing the data they
    > already typed in.
    >
    > Ken Schaefer wrote:
    >> Hi,
    >>
    >> Sure, but you want to build a case against this change. So, first try
    > to
    >> work out what's driving the change:
    >> a) why do they want it?
    >> b) why does it have to be 72 hours?
    >>
    >> You might find that 1 hour would be sufficient. Or you may be able to
    > build
    >> some kind of alternative compromise that can keep you, and them,
    > happy. But
    >> at the moment all you've posted is "I think they're doing it because
    > of
    >> this", so you're speculating as to their motives. Perhaps they
    > actually want
    >> to achieve something else, and the sessiont timeout change won't have
    > any
    >> benefit to them at all!
    >>
    >> Cheers
    >> Ken
    >

    Ignus Fast Guest

  7. #7

    Default Re: Question about a long session timeout (somewhat long)

    Hi,

    A long session timeout isn't really going to help here unless you have data
    saved in session variables. If this is data that a user is typing into a
    form, a long session timeout isn't going to help per se. You could just as
    easily regenerate the session, and keep the user's information.

    Personally, I think the save/load functionality that someone else has
    mentioned is a good idea. That way, if you do need to reboot the server or
    something (eg to apply a patch), all the users with current sessions open
    aren't going to lose all their data.

    Cheers
    Ken


    "Stupid48" <cf_richhotmail.com> wrote in message
    news:1111080699.970649.125860z14g2000cwz.googlegr oups.com...
    : Well, I know why they want to do it. This app was promised to HR but
    : they did not have anyone build in any membership functionality. Now,
    : to save thier a$$es, they want to set an extended session timeout so
    : the user can walk away from their PC for a while and not lose the stuff
    : the typed in. I got them down to 24 hours so far. They are stuck on
    : this and since they are management, I have no say unless I can bring
    : some security or technical reasons to the table. i.e. The user's
    : social security number is at risk because the session is staying open
    : for 3 days. Being that I'm just a server guy, I need some help more on
    : the dev side of things. But their motives are definetely that they
    : think a long timeout will keep the user from losing the data they
    : already typed in.
    :
    : Ken Schaefer wrote:
    : > Hi,
    : >
    : > Sure, but you want to build a case against this change. So, first try
    : to
    : > work out what's driving the change:
    : > a) why do they want it?
    : > b) why does it have to be 72 hours?
    : >
    : > You might find that 1 hour would be sufficient. Or you may be able to
    : build
    : > some kind of alternative compromise that can keep you, and them,
    : happy. But
    : > at the moment all you've posted is "I think they're doing it because
    : of
    : > this", so you're speculating as to their motives. Perhaps they
    : actually want
    : > to achieve something else, and the sessiont timeout change won't have
    : any
    : > benefit to them at all!
    : >
    : > Cheers
    : > Ken
    :


    Ken Schaefer Guest

  8. #8

    Default Re: Question about a long session timeout (somewhat long)

    As with anything else, there are 2 things to be concerned with here: security and performance.

    1) Performance: this is only a problem if you have servers with low memory and/or a site with high traffic and/or a site that heavily uses session resources. If the site uses relatively little memory and the traffic is fairly low, you shouldn't have a performance problem with having the session open for a long time. Just monitor the memory on your web servers and take action when you need to. There's no point in arbitrarily throttling session timeouts (and annoying your users) if you don't have to.

    2) Security: the thing to watch out for here are session hijacking. However, this can be easily mitigated by simply using SSL (which I'm assuming you're already using). Yeah sure, the user can walk away from their computer leaving the screen unlocked for a long time and someone could come by and see their sensitive information but this is not your problem. That's no different than just leaving your wallet lying around.

    In short, what your developers are asking for is just fine. They're smart people who have the considerations of their users as their primary concern and aren't necessarily just trying to cover their asses.
    Gordon Guest

Similar Threads

  1. Replies: 3
    Last Post: December 13th, 01:27 PM
  2. IDS 7.3* - Long long long checkpoint !
    By Laurent in forum Informix
    Replies: 1
    Last Post: October 28th, 09:18 PM
  3. Replies: 6
    Last Post: August 24th, 09:14 PM
  4. Replies: 3
    Last Post: July 24th, 08:17 AM
  5. Replies: 1
    Last Post: July 8th, 03:18 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139