Session timeout represents the event occurring when a user do not perform any action on a web site during a interval (defined by web server). The event, on server side, change the status of the user session to 'invalid' (ie. "not used anymore") and instruct the web server to destroy it (deleting all data contained into it).
Impact of the session timeout on security and best practices
Session timeout define action window time for a user thus this window represents, in the same time, the delay in which an attacker can try to steal and use a existing user session...
For this, it's best practices to :
Set session timeout to the minimal value possible depending on the context of the application.
Avoid "infinite" session timeout.
Prefer declarative definition of the session timeout in order to apply global timeout for all application sessions.
Trace session creation/destroy in order to analyze creation trend and try to detect abnormal session number creation (application profiling phase in a attack).
Impact of the session timeout on security and best practices
Session timeout define action window time for a user thus this window represents, in the same time, the delay in which an attacker can try to steal and use a existing user session...
For this, it's best practices to :
Set session timeout to the minimal value possible depending on the context of the application.
Avoid "infinite" session timeout.
Prefer declarative definition of the session timeout in order to apply global timeout for all application sessions.
Trace session creation/destroy in order to analyze creation trend and try to detect abnormal session number creation (application profiling phase in a attack).
No comments:
Post a Comment