Auto-renew sessions in webapps?

Date April 16, 2008

Nice post, and an even better discussion over at CodingHorror about using an AJAX “heartbeat” to renew sessions on web applications and not annoy users. 

I won’t add to the reasons why in some ways this is a good idea (saves users data so they don’t lose it - how many times have you “lost” a big post/comment/message in a HTML form that hasn’t posted because you werent’ logged in/network error/session timeout!) or bad (how session regeneration is occurring), but I’m pleased beyond words that Brett (on April 16, 2008 06:24 AM - sorry, no link to the direct comment) mentioned the number one reason that sessions should expire (and encourage users to no stay logged in longer than they should be) - CROSS SITE REQUEST FORGERIES.

There’s seriously not enough talk about this innate vulnerability out there (although hopefully that’s getting started).  Keeping users logged into webapps just opens themselves up to CSRF if they surf off to unknown/untrusted sites while being logged into “sensitive” sites.  It’s been shown that it’s just too easy to detect what sites a using visiting a page have been too previously, and even if they are currently logged in to that site.

I get that security sometimes gets in the way of usability, and we really want to minimize the “pain” as much as possible.  Sometimes however you just have to “suck it up” - although a certain feature might be “nice to have”, you really have to think hard about the security consequences.

Category Posted in Security

2 Responses to “Auto-renew sessions in webapps?”

  1. April 16th, 2008 at 9:35 am

    Tek said:

    I agree with you, and would rather see the sessions expire than some sort of ajax-like heartbeat keeping it going pervasive throughout the internet.

    On the sites that do adopt this, however, you would agree using some anti-csrf approaches such as some sophisticated nonces (assuming no xss vulnerabilities on the site) would certainly be a good defense against this and allow you to keep the benefit of non-expiring sessions?

  2. April 18th, 2008 at 6:03 am

    Who want’s to be be a sex offender | Mike Andrews said:

    [...] tested however, stuff like this, and the misguided comments on the session expiration issue from a previous post always comes up - as a discipline we’ve got such a way to [...]


Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>