-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update: DotNet Security Cheat Sheet #1325
Comments
This is a good point. @jmanico @kwwall @mackowski what do you think? |
I don't like the term "sliding expiration". While technically correct, that portrays it from an implementation perspective. I much prefer the terms "idle session timeout" and "maximum session timeout" because 1) that is the more common term, and 2) that portrays it from a user's perspective. Just my $.02. |
In my opinion it depends on the threat model so I would change to say that in most cases it is ok to use to sliding expiration with a short deadline. |
I would probably add some context around the reason for disabling it.. from Microsoft: "Sliding expiration resets the expiration time for a valid authentication cookie if a request is made and more than half of the timeout interval has elapsed. If the cookie expires, the user must re-authenticate. Setting the SlidingExpiration property to false can improve the security of an application by limiting the time for which an authentication cookie is valid, based on the configured timeout value." |
I just found this: https://brokul.dev/authentication-cookie-lifetime-and-sliding-expiration Do you agree? I would merge the content of this page and the side of Microsoft you cited in this cheat sheet... |
What is missing or needs to be updated?
Chapter "A01 Broken Access Control"
The following example is like this (line 32/33):
I don't think it's a bad idea using SlidingExploration - if it is implemented safely, especially using a short deadline, do you?
How should this be resolved?
Can you please revise this article and form a consistent line?
The text was updated successfully, but these errors were encountered: