You can use this information to help identify hijacked sessions. Login History - Each service allows you to review the login history in the case you suspect your account may have been compromised.This will limit the damage that account hijackers can cause. Reauthentication Prompts - If you try to make security-sensitive modifications to your account on Twitter and Google, you may be prompted to reauthenticate first. This comes in handy when you realize you forgot to logout of Facebook from your friend's computer, and you don't trust them to not post to your news feed. Remote Logout - Google, Facebook, and Twitter allow you to see a list of devices with active sessions and to terminate any of these sessions.Second, and most importantly, these sites mitigate the risk of a hijacked session with several security enhancements that your site probably doesn't offer. You have an obligation to evaluate your business' unique operating environment risk, independent of what popular websites are doing. Your business model is likely not geared toward keeping users engaged with your service for sustained periods of time like these sites are. If you have had similar thoughts, you should consider the following.įirst, your organization is not Google, Twitter or Facebook. One of my clients recently attempted to justify their 7-day idle timeout by basically saying, "If Facebook, Google, and Twitter don't force you to reauthenticate every 30 minutes, then why should we?" Common idle timeouts ranges are 2-5 minutes for high-value applications and 15- 30 minutes for low risk applications.”įrom the federal guideline perspective, the draft NIST 800-63B – Digital Identity Guidelines proposes the following recommendation for providing high confidence for authentication: “ Reauthentication of the subscriber SHALL be repeated following no more than 30 minutes of user inactivity.” The session expiration timeout values must be set accordingly with the purpose and nature of the web application, and balance security and usability, so that the user can comfortably complete the operations within the web application without his session frequently expiring. The shorter the session interval is, the lesser the time an attacker has to use the valid session ID. Here’s what OWASP says about session timeouts: “Insufficient session expiration by the web application increases the exposure of other session-based attacks, as for the attacker to be able to reuse a valid session ID and hijack the associated session, it must still be active. One of the most authoritative web application security standards organizations is OWASP (Open Web Application Security Project). Google, Facebook, and Twitter still have session timeouts, but you don't encounter them very often because sessions timeout every three months or so. How can they get away with this, and why do your web applications likely still need short session timeouts? Have you noticed that Google, Facebook, and Twitter keep you logged in for a very long time? Unlike your bank, they don't automatically log you out after a period of inactivity.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |