Update: DotNet Security Cheat Sheet #1325
Comments
wittjoe1
added
ACK_WAITING
|
This is a good point. @jmanico @kwwall @mackowski what do you think? |
|
I don't like the term "sliding expiration". While technically correct, that portrays it from an implementation perspective. I much prefer the terms "idle session timeout" and "maximum session timeout" because 1) that is the more common term, and 2) that portrays it from a user's perspective. Just my $.02. |
|
In my opinion it depends on the threat model so I would change to say that in most cases it is ok to use to sliding expiration with a short deadline. |
mackowski
added
ACK_OBTAINED
|
I would probably add some context around the reason for disabling it.. from Microsoft: "Sliding expiration resets the expiration time for a valid authentication cookie if a request is made and more than half of the timeout interval has elapsed. If the cookie expires, the user must re-authenticate. Setting the SlidingExpiration property to false can improve the security of an application by limiting the time for which an authentication cookie is valid, based on the configured timeout value." |
|
I just found this: https://brokul.dev/authentication-cookie-lifetime-and-sliding-expiration Do you agree? I would merge the content of this page and the side of Microsoft you cited in this cheat sheet... |
What is missing or needs to be updated?
Chapter "A01 Broken Access Control"
The following example is like this (line 32/33):
I don't think it's a bad idea using SlidingExploration - if it is implemented safely, especially using a short deadline, do you?
How should this be resolved?
Can you please revise this article and form a consistent line?
The text was updated successfully, but these errors were encountered: