[Mono-list] Security and Firefox 2.0

[Robert Jordan]

Bradley, Peter wrote:
> I wonder if I could pick some brains?
> 
> According to the BBC:
> 
> "Firefox 2.0 also has an improved session restoration system that will
> let users resurrect tabbed webpages they accidentally closed or will
> re-start a net session at the point before a crash."
> 
> We already have difficulties with tabbed browsers in the sense that if a
> user closes a tab, it doesn't close the session so users (and therefore
> potentially others if the user leaves the machine unguarded) can jump
> back into a session.  Does the feature above mean life is going to be
> even more difficult?  Will sessions even be restored if the browser is
> closed and re-opened?  This is very important to us, because many of our
> applications run on computers in public access areas.  So they do get
> left unguarded, and the urls to access the systems are obviously well
> known: but they do deal with sensitive information, like disability data
> &c.
> 
> Or is there something in the .NET security model we should be using that
> we've missed?

I'm supposing you mean ASP.NET.

By default, ASP.NET sessions expire after 10 minutes of inactivity.
This can be controlled with web.config's
<sessionState timeout="<minutes>"> setting.

During this time window, the browser can be recycled w/out
losing the session.

However, sensitive information is usually protected by an
additional authentication layer. If this layer employs cookies,
their expiration must not be set => browsers will not
store the cookies on the disk either => recycling the
browser kills the session.

If a browser doesn't respect the empty expiration value,
then ASP.NET (or any other web server framework that uses
cookies for authentication) can't do nothing about it.

Robert