Question about a long session timeout (somewhat long)

S

Stupid48

I've been told by my developers to increase the asp.net session timeout
to 72 hours. Being a server guy, it concerns me because of the obvious
potential for denial of service due to resource consumption.
Basically, it is an asp.net application that runs ssl and may take some
personal information.

They have not yet put in membership functionality to allow the user to
save their work so my thought is that they're trying to get around it
but increasing the timeout thus keeping the user from losing their
work.

Anyone with common sense knows it's wrong, but...

Can someone help me mount a case to not allow this due to security
concerns and maybe offer some solutions bearing in mind that they do
not plan on adding any kind of membership functionality in the near
future?

Maybe I do not fully understand session timeouts versus expiring a
page.

Any comments would be greatly appreciated...

Chris
 
K

Ken Schaefer

Why don't you just ask them why they want such a long timeout value?

Cheers
Ken


: I've been told by my developers to increase the asp.net session timeout
: to 72 hours. Being a server guy, it concerns me because of the obvious
: potential for denial of service due to resource consumption.
: Basically, it is an asp.net application that runs ssl and may take some
: personal information.
:
: They have not yet put in membership functionality to allow the user to
: save their work so my thought is that they're trying to get around it
: but increasing the timeout thus keeping the user from losing their
: work.
:
: Anyone with common sense knows it's wrong, but...
:
: Can someone help me mount a case to not allow this due to security
: concerns and maybe offer some solutions bearing in mind that they do
: not plan on adding any kind of membership functionality in the near
: future?
:
: Maybe I do not fully understand session timeouts versus expiring a
: page.
:
: Any comments would be greatly appreciated...
:
: Chris
:
 
S

Stupid48

Ken said:
Why don't you just ask them why they want such a long timeout value?

Cheers
Ken
Ahh, well, sometimes management has a little bit more control than we
would like. I suppose they have some notion that the internet is
totally reliable and someone can leave their browser open for a day and
not lose their connection. The system is a job application thus it
requires alot of time to fill in.
 
K

Ken Schaefer

Hi,

Sure, but you want to build a case against this change. So, first try to
work out what's driving the change:
a) why do they want it?
b) why does it have to be 72 hours?

You might find that 1 hour would be sufficient. Or you may be able to build
some kind of alternative compromise that can keep you, and them, happy. But
at the moment all you've posted is "I think they're doing it because of
this", so you're speculating as to their motives. Perhaps they actually want
to achieve something else, and the sessiont timeout change won't have any
benefit to them at all!

Cheers
Ken


:
: Ken Schaefer wrote:
: > Why don't you just ask them why they want such a long timeout value?
: >
: > Cheers
: > Ken
: >
: >
: Ahh, well, sometimes management has a little bit more control than we
: would like. I suppose they have some notion that the internet is
: totally reliable and someone can leave their browser open for a day and
: not lose their connection. The system is a job application thus it
: requires alot of time to fill in.
:
 
S

Stupid48

Well, I know why they want to do it. This app was promised to HR but
they did not have anyone build in any membership functionality. Now,
to save thier a$$es, they want to set an extended session timeout so
the user can walk away from their PC for a while and not lose the stuff
the typed in. I got them down to 24 hours so far. They are stuck on
this and since they are management, I have no say unless I can bring
some security or technical reasons to the table. i.e. The user's
social security number is at risk because the session is staying open
for 3 days. Being that I'm just a server guy, I need some help more on
the dev side of things. But their motives are definetely that they
think a long timeout will keep the user from losing the data they
already typed in.
 
I

Ignus Fast

That being the case, wouldn't you be best served by changing the
application to include a "Load" & "Save" button that will save the data in a
database for later recall?

Ignus
 
K

Ken Schaefer

Hi,

A long session timeout isn't really going to help here unless you have data
saved in session variables. If this is data that a user is typing into a
form, a long session timeout isn't going to help per se. You could just as
easily regenerate the session, and keep the user's information.

Personally, I think the save/load functionality that someone else has
mentioned is a good idea. That way, if you do need to reboot the server or
something (eg to apply a patch), all the users with current sessions open
aren't going to lose all their data.

Cheers
Ken


: Well, I know why they want to do it. This app was promised to HR but
: they did not have anyone build in any membership functionality. Now,
: to save thier a$$es, they want to set an extended session timeout so
: the user can walk away from their PC for a while and not lose the stuff
: the typed in. I got them down to 24 hours so far. They are stuck on
: this and since they are management, I have no say unless I can bring
: some security or technical reasons to the table. i.e. The user's
: social security number is at risk because the session is staying open
: for 3 days. Being that I'm just a server guy, I need some help more on
: the dev side of things. But their motives are definetely that they
: think a long timeout will keep the user from losing the data they
: already typed in.
:
: Ken Schaefer wrote:
: > Hi,
: >
: > Sure, but you want to build a case against this change. So, first try
: to
: > work out what's driving the change:
: > a) why do they want it?
: > b) why does it have to be 72 hours?
: >
: > You might find that 1 hour would be sufficient. Or you may be able to
: build
: > some kind of alternative compromise that can keep you, and them,
: happy. But
: > at the moment all you've posted is "I think they're doing it because
: of
: > this", so you're speculating as to their motives. Perhaps they
: actually want
: > to achieve something else, and the sessiont timeout change won't have
: any
: > benefit to them at all!
: >
: > Cheers
: > Ken
:
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top