OWASP / CheatSheetSeries

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
https://cheatsheetseries.owasp.org
Creative Commons Attribution Share Alike 4.0 International
28.27k stars 3.96k forks source link

Update: DotNet Security Cheat Sheet #1325

Open wittjoe1 opened 9 months ago

wittjoe1 commented 9 months ago

What is missing or needs to be updated?

Chapter "A01 Broken Access Control"

The following requirement is included in Chapter A01: "Reduce the time period a session can be stolen in by reducing session timeout and removing sliding expiration":

ExpireTimeSpan = TimeSpan.FromMinutes(60),
SlidingExpiration = false

The following example is like this (line 32/33):

ExpireTimeSpan = TimeSpan.FromMinutes(30),
SlidingExpiration = true,

I don't think it's a bad idea using SlidingExploration - if it is implemented safely, especially using a short deadline, do you?

How should this be resolved?

Can you please revise this article and form a consistent line?

szh commented 9 months ago

This is a good point. @jmanico @kwwall @mackowski what do you think?

kwwall commented 9 months ago

I don't like the term "sliding expiration". While technically correct, that portrays it from an implementation perspective. I much prefer the terms "idle session timeout" and "maximum session timeout" because 1) that is the more common term, and 2) that portrays it from a user's perspective.

Just my $.02.

mackowski commented 9 months ago

In my opinion it depends on the threat model so I would change to say that in most cases it is ok to use to sliding expiration with a short deadline. @wittjoe1 do you want to make a PR with this small change?

fcerullo-cycubix commented 8 months ago

I would probably add some context around the reason for disabling it.. from Microsoft:

"Sliding expiration resets the expiration time for a valid authentication cookie if a request is made and more than half of the timeout interval has elapsed. If the cookie expires, the user must re-authenticate. Setting the SlidingExpiration property to false can improve the security of an application by limiting the time for which an authentication cookie is valid, based on the configured timeout value."

https://learn.microsoft.com/en-us/dotnet/api/system.web.security.formsauthentication.slidingexpiration?view=netframework-4.8.1

wittjoe1 commented 8 months ago

I just found this:

https://brokul.dev/authentication-cookie-lifetime-and-sliding-expiration

Do you agree? I would merge the content of this page and the side of Microsoft you cited in this cheat sheet...