Question about a long session timeout (somewhat long)

Discussion in 'ASP .Net Security' started by Stupid48, Mar 16, 2005.

  1. Stupid48

    Stupid48 Guest

    I've been told by my developers to increase the asp.net session timeout
    to 72 hours. Being a server guy, it concerns me because of the obvious
    potential for denial of service due to resource consumption.
    Basically, it is an asp.net application that runs ssl and may take some
    personal information.

    They have not yet put in membership functionality to allow the user to
    save their work so my thought is that they're trying to get around it
    but increasing the timeout thus keeping the user from losing their
    work.

    Anyone with common sense knows it's wrong, but...

    Can someone help me mount a case to not allow this due to security
    concerns and maybe offer some solutions bearing in mind that they do
    not plan on adding any kind of membership functionality in the near
    future?

    Maybe I do not fully understand session timeouts versus expiring a
    page.

    Any comments would be greatly appreciated...

    Chris
     
    Stupid48, Mar 16, 2005
    #1
    1. Advertising

  2. Stupid48

    Ken Schaefer Guest

    Why don't you just ask them why they want such a long timeout value?

    Cheers
    Ken


    "Stupid48" <> wrote in message
    news:...
    : I've been told by my developers to increase the asp.net session timeout
    : to 72 hours. Being a server guy, it concerns me because of the obvious
    : potential for denial of service due to resource consumption.
    : Basically, it is an asp.net application that runs ssl and may take some
    : personal information.
    :
    : They have not yet put in membership functionality to allow the user to
    : save their work so my thought is that they're trying to get around it
    : but increasing the timeout thus keeping the user from losing their
    : work.
    :
    : Anyone with common sense knows it's wrong, but...
    :
    : Can someone help me mount a case to not allow this due to security
    : concerns and maybe offer some solutions bearing in mind that they do
    : not plan on adding any kind of membership functionality in the near
    : future?
    :
    : Maybe I do not fully understand session timeouts versus expiring a
    : page.
    :
    : Any comments would be greatly appreciated...
    :
    : Chris
    :
     
    Ken Schaefer, Mar 16, 2005
    #2
    1. Advertising

  3. Stupid48

    Stupid48 Guest

    Ken Schaefer wrote:
    > Why don't you just ask them why they want such a long timeout value?
    >
    > Cheers
    > Ken
    >
    >

    Ahh, well, sometimes management has a little bit more control than we
    would like. I suppose they have some notion that the internet is
    totally reliable and someone can leave their browser open for a day and
    not lose their connection. The system is a job application thus it
    requires alot of time to fill in.
     
    Stupid48, Mar 16, 2005
    #3
  4. Stupid48

    Ken Schaefer Guest

    Hi,

    Sure, but you want to build a case against this change. So, first try to
    work out what's driving the change:
    a) why do they want it?
    b) why does it have to be 72 hours?

    You might find that 1 hour would be sufficient. Or you may be able to build
    some kind of alternative compromise that can keep you, and them, happy. But
    at the moment all you've posted is "I think they're doing it because of
    this", so you're speculating as to their motives. Perhaps they actually want
    to achieve something else, and the sessiont timeout change won't have any
    benefit to them at all!

    Cheers
    Ken


    "Stupid48" <> wrote in message
    news:...
    :
    : Ken Schaefer wrote:
    : > Why don't you just ask them why they want such a long timeout value?
    : >
    : > Cheers
    : > Ken
    : >
    : >
    : Ahh, well, sometimes management has a little bit more control than we
    : would like. I suppose they have some notion that the internet is
    : totally reliable and someone can leave their browser open for a day and
    : not lose their connection. The system is a job application thus it
    : requires alot of time to fill in.
    :
     
    Ken Schaefer, Mar 17, 2005
    #4
  5. Stupid48

    Stupid48 Guest

    Well, I know why they want to do it. This app was promised to HR but
    they did not have anyone build in any membership functionality. Now,
    to save thier a$$es, they want to set an extended session timeout so
    the user can walk away from their PC for a while and not lose the stuff
    the typed in. I got them down to 24 hours so far. They are stuck on
    this and since they are management, I have no say unless I can bring
    some security or technical reasons to the table. i.e. The user's
    social security number is at risk because the session is staying open
    for 3 days. Being that I'm just a server guy, I need some help more on
    the dev side of things. But their motives are definetely that they
    think a long timeout will keep the user from losing the data they
    already typed in.

    Ken Schaefer wrote:
    > Hi,
    >
    > Sure, but you want to build a case against this change. So, first try

    to
    > work out what's driving the change:
    > a) why do they want it?
    > b) why does it have to be 72 hours?
    >
    > You might find that 1 hour would be sufficient. Or you may be able to

    build
    > some kind of alternative compromise that can keep you, and them,

    happy. But
    > at the moment all you've posted is "I think they're doing it because

    of
    > this", so you're speculating as to their motives. Perhaps they

    actually want
    > to achieve something else, and the sessiont timeout change won't have

    any
    > benefit to them at all!
    >
    > Cheers
    > Ken
     
    Stupid48, Mar 17, 2005
    #5
  6. Stupid48

    Ignus Fast Guest

    That being the case, wouldn't you be best served by changing the
    application to include a "Load" & "Save" button that will save the data in a
    database for later recall?

    Ignus

    "Stupid48" <> wrote in message
    news:...
    > Well, I know why they want to do it. This app was promised to HR but
    > they did not have anyone build in any membership functionality. Now,
    > to save thier a$$es, they want to set an extended session timeout so
    > the user can walk away from their PC for a while and not lose the stuff
    > the typed in. I got them down to 24 hours so far. They are stuck on
    > this and since they are management, I have no say unless I can bring
    > some security or technical reasons to the table. i.e. The user's
    > social security number is at risk because the session is staying open
    > for 3 days. Being that I'm just a server guy, I need some help more on
    > the dev side of things. But their motives are definetely that they
    > think a long timeout will keep the user from losing the data they
    > already typed in.
    >
    > Ken Schaefer wrote:
    >> Hi,
    >>
    >> Sure, but you want to build a case against this change. So, first try

    > to
    >> work out what's driving the change:
    >> a) why do they want it?
    >> b) why does it have to be 72 hours?
    >>
    >> You might find that 1 hour would be sufficient. Or you may be able to

    > build
    >> some kind of alternative compromise that can keep you, and them,

    > happy. But
    >> at the moment all you've posted is "I think they're doing it because

    > of
    >> this", so you're speculating as to their motives. Perhaps they

    > actually want
    >> to achieve something else, and the sessiont timeout change won't have

    > any
    >> benefit to them at all!
    >>
    >> Cheers
    >> Ken

    >
     
    Ignus Fast, Mar 17, 2005
    #6
  7. Stupid48

    Ken Schaefer Guest

    Hi,

    A long session timeout isn't really going to help here unless you have data
    saved in session variables. If this is data that a user is typing into a
    form, a long session timeout isn't going to help per se. You could just as
    easily regenerate the session, and keep the user's information.

    Personally, I think the save/load functionality that someone else has
    mentioned is a good idea. That way, if you do need to reboot the server or
    something (eg to apply a patch), all the users with current sessions open
    aren't going to lose all their data.

    Cheers
    Ken


    "Stupid48" <> wrote in message
    news:...
    : Well, I know why they want to do it. This app was promised to HR but
    : they did not have anyone build in any membership functionality. Now,
    : to save thier a$$es, they want to set an extended session timeout so
    : the user can walk away from their PC for a while and not lose the stuff
    : the typed in. I got them down to 24 hours so far. They are stuck on
    : this and since they are management, I have no say unless I can bring
    : some security or technical reasons to the table. i.e. The user's
    : social security number is at risk because the session is staying open
    : for 3 days. Being that I'm just a server guy, I need some help more on
    : the dev side of things. But their motives are definetely that they
    : think a long timeout will keep the user from losing the data they
    : already typed in.
    :
    : Ken Schaefer wrote:
    : > Hi,
    : >
    : > Sure, but you want to build a case against this change. So, first try
    : to
    : > work out what's driving the change:
    : > a) why do they want it?
    : > b) why does it have to be 72 hours?
    : >
    : > You might find that 1 hour would be sufficient. Or you may be able to
    : build
    : > some kind of alternative compromise that can keep you, and them,
    : happy. But
    : > at the moment all you've posted is "I think they're doing it because
    : of
    : > this", so you're speculating as to their motives. Perhaps they
    : actually want
    : > to achieve something else, and the sessiont timeout change won't have
    : any
    : > benefit to them at all!
    : >
    : > Cheers
    : > Ken
    :
     
    Ken Schaefer, Mar 18, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Guest
    Replies:
    1
    Views:
    497
    Manohar Kamath
    May 22, 2005
  2. John Salerno
    Replies:
    4
    Views:
    318
    John Salerno
    Mar 25, 2006
  3. Replies:
    3
    Views:
    306
  4. =?Utf-8?B?Um9iSEs=?=
    Replies:
    4
    Views:
    5,422
    =?Utf-8?B?Um9iSEs=?=
    Apr 11, 2007
  5. Mark Probert

    Timeout::timeout and Socket timeout

    Mark Probert, Oct 6, 2004, in forum: Ruby
    Replies:
    1
    Views:
    1,356
    Brian Candler
    Oct 6, 2004
Loading...

Share This Page