Session Timeout Security Risk?

[Doogie]

Hi,
We have a page we want to refresh every 30 minutes so that users can
get up to date info. The problem is that there is information within
the session that we need in each refresh to determine what roles the
user belongs to so that we can get the data they need.

The page times out because we lose our session info after 20 minutes.
Resetting that timeout value is not an option (I've been told we
aren't allowed).

If I refresh the page every 15 minutes, the problem goes away.
However, I was told that is a security risk because I'm potentially
creating an infinite session timeout.

I'm curious for anyone out there that could help explain if indeed
this is a security risk and why?

 

[Aidy]

I can't see any security risk, whoever is running your site probably just
doesn't want infinite timeouts. I guess one security issue would be if the
person leaves their browsing running and walks off somewhere/has lunch/goes
to a long meeting.

 

[bruce barker]

you have two security risks, especially if session = autheincation.

1) the user leaves workstation and browser cache. someone else can
access. medium risk.

2) the more serious in your case, session hijacking. to hijack a session
all one needs is the sessionid. normally you'd check if the session
belongs to the user, but if session identifies the user you can't. then
all that is required to hijack a session, is to guess (easier if never
expires) or catch with a network sniffer.


-- bruce (sqlwork.com)