An overly long authentication timeout gives attackers more time to potentially compromise user accounts.
The longer a session stays open, the larger the window of opportunity an attacker has to compromise user accounts. While a
session remains active, an attacker may be able to brute-force a user's password, crack a user's wireless encryption key, or
commandeer a session from an open browser. Longer authentication timeouts can also prevent memory from being released and
eventually result in a denial of service if a sufficiently large number of sessions are created.
Example 1: The following example shows ASP.NET MVC configured with an hour authentication timeout.
If the timeout attribute is not specified the authentication timeout defaults to 30 minutes.
Set an authentication timeout that is 15 minutes or less, which both allows users to interact with the application over a period of
time and provides a reasonable bound for the window of attack.
Example 2: The following example sets the authentication timeout to 15 minutes.