[Mono-list] Security and Firefox 2.0
Robert Jordan
robertj at gmx.net
Tue Oct 24 10:12:52 EDT 2006
Bradley, Peter wrote:
> I wonder if I could pick some brains?
>
> According to the BBC:
>
> "Firefox 2.0 also has an improved session restoration system that will
> let users resurrect tabbed webpages they accidentally closed or will
> re-start a net session at the point before a crash."
>
> We already have difficulties with tabbed browsers in the sense that if a
> user closes a tab, it doesn't close the session so users (and therefore
> potentially others if the user leaves the machine unguarded) can jump
> back into a session. Does the feature above mean life is going to be
> even more difficult? Will sessions even be restored if the browser is
> closed and re-opened? This is very important to us, because many of our
> applications run on computers in public access areas. So they do get
> left unguarded, and the urls to access the systems are obviously well
> known: but they do deal with sensitive information, like disability data
> &c.
>
> Or is there something in the .NET security model we should be using that
> we've missed?
I'm supposing you mean ASP.NET.
By default, ASP.NET sessions expire after 10 minutes of inactivity.
This can be controlled with web.config's
<sessionState timeout="<minutes>"> setting.
During this time window, the browser can be recycled w/out
losing the session.
However, sensitive information is usually protected by an
additional authentication layer. If this layer employs cookies,
their expiration must not be set => browsers will not
store the cookies on the disk either => recycling the
browser kills the session.
If a browser doesn't respect the empty expiration value,
then ASP.NET (or any other web server framework that uses
cookies for authentication) can't do nothing about it.
Robert
More information about the Mono-list
mailing list