Open wittjoe1 opened 9 months ago
This is a good point. @jmanico @kwwall @mackowski what do you think?
I don't like the term "sliding expiration". While technically correct, that portrays it from an implementation perspective. I much prefer the terms "idle session timeout" and "maximum session timeout" because 1) that is the more common term, and 2) that portrays it from a user's perspective.
Just my $.02.
In my opinion it depends on the threat model so I would change to say that in most cases it is ok to use to sliding expiration with a short deadline. @wittjoe1 do you want to make a PR with this small change?
I would probably add some context around the reason for disabling it.. from Microsoft:
"Sliding expiration resets the expiration time for a valid authentication cookie if a request is made and more than half of the timeout interval has elapsed. If the cookie expires, the user must re-authenticate. Setting the SlidingExpiration property to false can improve the security of an application by limiting the time for which an authentication cookie is valid, based on the configured timeout value."
I just found this:
https://brokul.dev/authentication-cookie-lifetime-and-sliding-expiration
Do you agree? I would merge the content of this page and the side of Microsoft you cited in this cheat sheet...
What is missing or needs to be updated?
Chapter "A01 Broken Access Control"
How should this be resolved?
Can you please revise this article and form a consistent line?