Comments on: Auto-renew sessions in webapps? http://www.mikeandrews.com/2008/04/16/auto-renew-sessions-in-webapps/ Fri, 09 Apr 2010 12:01:55 -0700 http://wordpress.org/?v=2.9.2 hourly 1 By: Who want’s to be be a sex offender | Mike Andrews http://www.mikeandrews.com/2008/04/16/auto-renew-sessions-in-webapps/comment-page-1/#comment-114 Who want’s to be be a sex offender | Mike Andrews Fri, 18 Apr 2008 14:03:12 +0000 http://www.mikeandrews.com/2008/04/16/auto-renew-sessions-in-webapps/#comment-114 [...] tested however, stuff like this, and the misguided comments on the session expiration issue from a previous post always comes up - as a discipline we’ve got such a way to [...] [...] tested however, stuff like this, and the misguided comments on the session expiration issue from a previous post always comes up – as a discipline we’ve got such a way to [...]

]]> By: Tek http://www.mikeandrews.com/2008/04/16/auto-renew-sessions-in-webapps/comment-page-1/#comment-111 Tek Wed, 16 Apr 2008 17:35:42 +0000 http://www.mikeandrews.com/2008/04/16/auto-renew-sessions-in-webapps/#comment-111 I agree with you, and would rather see the sessions expire than some sort of ajax-like heartbeat keeping it going pervasive throughout the internet. On the sites that do adopt this, however, you would agree using some anti-csrf approaches such as some sophisticated nonces (assuming no xss vulnerabilities on the site) would certainly be a good defense against this and allow you to keep the benefit of non-expiring sessions? I agree with you, and would rather see the sessions expire than some sort of ajax-like heartbeat keeping it going pervasive throughout the internet.

On the sites that do adopt this, however, you would agree using some anti-csrf approaches such as some sophisticated nonces (assuming no xss vulnerabilities on the site) would certainly be a good defense against this and allow you to keep the benefit of non-expiring sessions?

]]>