ASP.NET Misconfiguration: Excessive Session Timeout

时间:2022-08-11 01:39:22

Abstract:

An overly long authentication timeout gives attackers more time to potentially compromise user accounts.

Explanation:

The longer a session stays open, the larger the window of opportunity an attacker has to compromise user accounts. While a

session remains active, an attacker may be able to brute-force a user's password, crack a user's wireless encryption key, or

commandeer a session from an open browser. Longer authentication timeouts can also prevent memory from being released and

eventually result in a denial of service if a sufficiently large number of sessions are created.

Example 1: The following example shows ASP.NET MVC configured with an hour authentication timeout.

...

<configuration>

<system.web>

<authentication>

<forms

timeout="60" />

</authentication>

</system.web>

</configuration>

...

If the timeout attribute is not specified the authentication timeout defaults to 30 minutes.

Recommendations:

Set an authentication timeout that is 15 minutes or less, which both allows users to interact with the application over a period of

time and provides a reasonable bound for the window of attack.

Example 2: The following example sets the authentication timeout to 15 minutes.

...

<configuration>

<system.web>

<authentication>

<forms

timeout="15" />

</authentication>

</system.web>

</configuration>