ASP.NET Misconfiguration: Excessive Session Timeout-白红宇

ASP.NET Misconfiguration: Excessive Session Timeout

阅读量：6792 次

发布时间：2019-06-26

本文共 1326 字，大约阅读时间需要 4 分钟。

Abstract:

An overly long authentication timeout gives attackers more time to potentially compromise user accounts.

Explanation:

The longer a session stays open, the larger the window of opportunity an attacker has to compromise user accounts. While a

session remains active, an attacker may be able to brute-force a user's password, crack a user's wireless encryption key, or

commandeer a session from an open browser. Longer authentication timeouts can also prevent memory from being released and

eventually result in a denial of service if a sufficiently large number of sessions are created.

Example 1: The following example shows ASP.NET MVC configured with an hour authentication timeout.

...

<system.web>

<forms

timeout="60" />

</authentication>

</system.web>

</configuration>

...

If the timeout attribute is not specified the authentication timeout defaults to 30 minutes.

Recommendations:

Set an authentication timeout that is 15 minutes or less, which both allows users to interact with the application over a period of

time and provides a reasonable bound for the window of attack.

Example 2: The following example sets the authentication timeout to 15 minutes.

...

<system.web>

<forms

timeout="15" />

</authentication>

</system.web>

</configuration>

转载地址：http://vgago.baihongyu.com/

你可能感兴趣的文章

《 Python树莓派编程》——第2章轻松掌握Linux 2.1 开始使用树莓派的Linux

查看>>

MySQL使用初步—mysql数据库的基本命令

查看>>

如何配置 MongoDB 副本集

查看>>

《Python核心编程（第二版）》——1.5　运行Python

查看>>

Node.js Undocumented(1)

查看>>

《C语言及程序设计》实践项目——程序的多文件组织

数据结构例程——从一个顶点到其余各顶点的最短路径

查看>>

java代码中init method和destroy method的三种使用方式

查看>>

应用迁云之镜像迁移-（5）阿里云上跨VPC和区域、账号镜像迁移实践

查看>>

2015级C++第6周项目类的组合、静态存储

[UML]UML系列——类图class的依赖关系

查看>>

Sql Server 数据库还原（请勿模仿！）

查看>>

数据库的垂直分割、水平分割和表列散之间的“纠葛”

查看>>

Myeclipse SVN插件使用

查看>>