ASP.NET Misconfiguration: Excessive Session Timeout

发布时间:2017-1-19 6:10:53 编辑:www.fx114.net 分享查询网我要评论
本篇文章主要介绍了"ASP.NET Misconfiguration: Excessive Session Timeout",主要涉及到ASP.NET Misconfiguration: Excessive Session Timeout方面的内容,对于ASP.NET Misconfiguration: Excessive Session Timeout感兴趣的同学可以参考一下。

Abstract:

An overly long authentication timeout gives attackers more time to potentially compromise user accounts.

Explanation:

The longer a session stays open, the larger the window of opportunity an attacker has to compromise user accounts. While a

session remains active, an attacker may be able to brute-force a user's password, crack a user's wireless encryption key, or

commandeer a session from an open browser. Longer authentication timeouts can also prevent memory from being released and

eventually result in a denial of service if a sufficiently large number of sessions are created.

Example 1: The following example shows ASP.NET MVC configured with an hour authentication timeout.

...

<configuration>

<system.web>

<authentication>

<forms

timeout="60" />

</authentication>

</system.web>

</configuration>

...

If the timeout attribute is not specified the authentication timeout defaults to 30 minutes.

Recommendations:

Set an authentication timeout that is 15 minutes or less, which both allows users to interact with the application over a period of

time and provides a reasonable bound for the window of attack.

Example 2: The following example sets the authentication timeout to 15 minutes.

...

<configuration>

<system.web>

<authentication>

<forms

timeout="15" />

</authentication>

</system.web>

</configuration>

上一篇:swift 多线程的使用
下一篇:写给自己的2016年总结

相关文章

相关评论