[Mono-list] Security and Firefox 2.0
robertj at gmx.net
Tue Oct 24 10:12:52 EDT 2006
Bradley, Peter wrote:
> I wonder if I could pick some brains?
> According to the BBC:
> "Firefox 2.0 also has an improved session restoration system that will
> let users resurrect tabbed webpages they accidentally closed or will
> re-start a net session at the point before a crash."
> We already have difficulties with tabbed browsers in the sense that if a
> user closes a tab, it doesn't close the session so users (and therefore
> potentially others if the user leaves the machine unguarded) can jump
> back into a session. Does the feature above mean life is going to be
> even more difficult? Will sessions even be restored if the browser is
> closed and re-opened? This is very important to us, because many of our
> applications run on computers in public access areas. So they do get
> left unguarded, and the urls to access the systems are obviously well
> known: but they do deal with sensitive information, like disability data
> Or is there something in the .NET security model we should be using that
> we've missed?
I'm supposing you mean ASP.NET.
By default, ASP.NET sessions expire after 10 minutes of inactivity.
This can be controlled with web.config's
<sessionState timeout="<minutes>"> setting.
During this time window, the browser can be recycled w/out
losing the session.
However, sensitive information is usually protected by an
additional authentication layer. If this layer employs cookies,
their expiration must not be set => browsers will not
store the cookies on the disk either => recycling the
browser kills the session.
If a browser doesn't respect the empty expiration value,
then ASP.NET (or any other web server framework that uses
cookies for authentication) can't do nothing about it.
More information about the Mono-list