We need you!

We're working hard on the next version of Developer Fusion. Let us know what you think we should be up to!

Members

» Login
» Register (Free)
» Member Benefits
» Submit Resource

Technology Zones

» .NET Framework
(Quickstart)
» ASP
» ASP.NET
» C / C++ / MFC
» C# Programming
» Java
» JavaScript
» PHP
» Databases & SQL
» Visual Basic
» VB.NET
» XML
» More...

Articles

» VSA Scripting in .NET
» Direct Input 8
» Moving from Tables to CSS
» Getting System Folders Easily via API
» Building a Full-Featured Custom DataGrid Control

Hosted By

Info

» Partners
» Advertise
» About Us
» Link To Us
» Privacy Policy
» Contact Us

Rated
Read 9,171 times

0 comments

1. Learn about Authentication and Authorization Application Security Issues
2. Cookieless Authentication Enabled
3. Failure to Require SSL for Authentication Cookies
4. Sliding Expiration Used
5. Non-Unique Authentication Cookie Used
6. Hardcoded Credentials Used
7. You're Not Out of the Woods Yet

Related Categories

Top 10 Application Security Vulnerabilities in Web.config Files - Part Two - Sliding Expiration Used

AuthorBryan_Sullivan

Sliding Expiration Used

All authenticated ASP.NET sessions have a timeout interval to protect the application security. The default timeout value is 30 minutes. So, 30 minutes after a user first logs into any of these Web-based applications, he will automatically be logged out and forced to re-authenticate his credentials.

Vulnerable configuration:

<configuration> 
	<system.web="Forms"> 
			<forms slidingExpiration="true">

<configuration> 
	<system.web="Forms"> 
			<forms slidingExpiration="false">

The slidingExpiration setting is an application security measure used to reduce risk to Web-based applications in case the authentication token is stolen. When set to false, the specified timeout interval becomes a fixed period of time from the initial login, rather than a period of inactivity. Attackers using a stolen authentication token have, at maximum, only the specified length of time to impersonate the user before the session times out. Because typical attackers of these Web-based applications have only the token, and don't really know the user's credentials, they can't log back in as the legitimate user, so the stolen authentication token is now useless and the application security threat is mitigated. When sliding expiration is enabled, as long as an attacker makes at least one request to the system every 15 minutes (or half of the timeout interval), the session will remain open indefinitely. This gives attackers more opportunities to steal information and cause other mischief in Web-based applications.

To avoid this application security issue altogether, you can disable sliding expiration by setting the slidingExpiration attribute of the forms element to false.

« Failure to Require SSL for Authentication Cookies | Non-Unique Authentication Cookie Used »

Bryan Sullivan is a development manager at SPI Dynamics, a Web application security products company. Bryan manages the DevInspect and QAInspect Web security products, which help programmers maintain application security throughout the development and testing process. He has a bachelor's degree in mathematics from Georgia Tech and 12 years of experience in the information technology industry. Bryan is currently coauthoring a book with noted security expert Billy Hoffman on Ajax security, which will be published in summer 2007 by Addison-Wesley.

Comments

Read Comments | Post Comment

No one has posted a comment yet. Be the first.

Search

Code Samples

» Print 3D text of a form
» Building an 'AJAX' ProgressBar in Atlas
» MSComm Example
» Current System Resolution Change
» Integrate Web Content

New Members

» nimda 32 in Netherlands
» msas in Malaysia
» Alireza in Netherlands
» anantha Krishnan in India
» Manandhar in Hong Kong SAR
» Prabhath Padmasiri in Sri Lanka