Library tutorials & articles

Top 10 Application Security Vulnerabilities in Web.config Files - Part Two

By Bryan Sullivan, published on 10 Jun 2007
Page 4 of 7
  1. Learn about Authentication and Authorization Application Security Issues
  2. Cookieless Authentication Enabled
  3. Failure to Require SSL for Authentication Cookies
  4. Sliding Expiration Used
  5. Non-Unique Authentication Cookie Used
  6. Hardcoded Credentials Used
  7. You're Not Out of the Woods Yet

Sliding Expiration Used

All authenticated ASP.NET sessions have a timeout interval to protect the application security. The default timeout value is 30 minutes. So, 30 minutes after a user first logs into any of these Web-based applications, he will automatically be logged out and forced to re-authenticate his credentials.

Vulnerable configuration: 

<configuration> 
	<system.web> 
		<authentication mode="Forms"> 
			<forms slidingExpiration="true"> 

<configuration> 
	<system.web> 
		<authentication mode="Forms"> 
			<forms slidingExpiration="false">

The slidingExpiration setting is an application security measure used to reduce risk to Web-based applications in case the authentication token is stolen. When set to false, the specified timeout interval becomes a fixed period of time from the initial login, rather than a period of inactivity. Attackers using a stolen authentication token have, at maximum, only the specified length of time to impersonate the user before the session times out. Because typical attackers of these Web-based applications have only the token, and don't really know the user's credentials, they can't log back in as the legitimate user, so the stolen authentication token is now useless and the application security threat is mitigated. When sliding expiration is enabled, as long as an attacker makes at least one request to the system every 15 minutes (or half of the timeout interval), the session will remain open indefinitely. This gives attackers more opportunities to steal information and cause other mischief in Web-based applications.

To avoid this application security issue altogether, you can disable sliding expiration by setting the slidingExpiration attribute of the forms element to false.

Comments

  1. shaguf mohtisham
    14 Aug 2008 at 16:12

    If histoy is compromised,can't be the cookies compromised as well? and the hijack can still be performed.

  2. Developer Fusion Bot
    01 Jan 1999 at 00:00

    This thread is for discussions of Top 10 Application Security Vulnerabilities in Web.config Files - Part Two.

Leave a comment

Sign in or Join us (it's free).

Related tags

asp.net, internet, security, web services, iis
Bryan Sullivan Bryan Sullivan is a development manager at SPI Dynamics, a Web application security products company. Bryan manages the DevInspect and QAInspect Web security products, which help programmers mainta...
AddThis

Related articles

Ask a question

Related discussion

Related podcasts

  • Episode 36: Scott Watermasysk

    This week, the Herding Code cast talks shop with Scott Watermasysk about cloud computing, blogging platforms, Internet Explorer, the DotNetOpenId project and much more: Scott W, Scott K and Jon discuss Azure, Amazon Web Services and Google App Engine. Jon asks Scott W to share his thoughts on bl...

Events coming up

Languages

Web Development

Frameworks & Architecture

Other major sections

Cancel
We'd love to hear what you think! Submit ideas or give us feedback