S
Stupid48
I've been told by my developers to increase the asp.net session timeout
to 72 hours. Being a server guy, it concerns me because of the obvious
potential for denial of service due to resource consumption.
Basically, it is an asp.net application that runs ssl and may take some
personal information.
They have not yet put in membership functionality to allow the user to
save their work so my thought is that they're trying to get around it
but increasing the timeout thus keeping the user from losing their
work.
Anyone with common sense knows it's wrong, but...
Can someone help me mount a case to not allow this due to security
concerns and maybe offer some solutions bearing in mind that they do
not plan on adding any kind of membership functionality in the near
future?
Maybe I do not fully understand session timeouts versus expiring a
page.
Any comments would be greatly appreciated...
Chris
to 72 hours. Being a server guy, it concerns me because of the obvious
potential for denial of service due to resource consumption.
Basically, it is an asp.net application that runs ssl and may take some
personal information.
They have not yet put in membership functionality to allow the user to
save their work so my thought is that they're trying to get around it
but increasing the timeout thus keeping the user from losing their
work.
Anyone with common sense knows it's wrong, but...
Can someone help me mount a case to not allow this due to security
concerns and maybe offer some solutions bearing in mind that they do
not plan on adding any kind of membership functionality in the near
future?
Maybe I do not fully understand session timeouts versus expiring a
page.
Any comments would be greatly appreciated...
Chris