One of my clients recently attempted to justify their 7-day idle timeout by basically saying, "If Facebook, Google, and Twitter don't force you to reauthenticate every 30 minutes, then why should we?" Common idle timeouts ranges are 2-5 minutes for high-value applications and 15- 30 minutes for low risk applications.”įrom the federal guideline perspective, the draft NIST 800-63B – Digital Identity Guidelines proposes the following recommendation for providing high confidence for authentication: “ Reauthentication of the subscriber SHALL be repeated following no more than 30 minutes of user inactivity.” Session Timeout Considerations The session expiration timeout values must be set accordingly with the purpose and nature of the web application, and balance security and usability, so that the user can comfortably complete the operations within the web application without his session frequently expiring. The shorter the session interval is, the lesser the time an attacker has to use the valid session ID. Here’s what OWASP says about session timeouts: “Insufficient session expiration by the web application increases the exposure of other session-based attacks, as for the attacker to be able to reuse a valid session ID and hijack the associated session, it must still be active. One of the most authoritative web application security standards organizations is OWASP (Open Web Application Security Project). Google, Facebook, and Twitter still have session timeouts, but you don't encounter them very often because sessions timeout every three months or so. How can they get away with this, and why do your web applications likely still need short session timeouts? Have you noticed that Google, Facebook, and Twitter keep you logged in for a very long time? Unlike your bank, they don't automatically log you out after a period of inactivity.
0 Comments
Leave a Reply. |