Nope, I'm not pitching consulting services. I joined the conversation at the request of a member of my ops team, I am stating that allowing a token to remain valid for 30 days needlessly increases the attack surface of the application.
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Feed Advanced Search
Advanced Search
Advanced Search
Feb 26 2015
Feb 26 2015
infosecdweeb added a comment to T4806: Give installs more control over session expiry / prompt for reauth before taking security actions.
infosecdweeb added a comment to T4806: Give installs more control over session expiry / prompt for reauth before taking security actions.
In T4806#98677, @epriestley wrote:Cross site request forgery (CSRF) attacks specifically take advantage of persistent session tokens and use them to take action as the user that was granted the token.
We rotate CSRF tokens. They are not the same as session tokens.
The tokens that allow for persistent access to a site can be used for CSRF attacks. Do you have specific protections in place to keep this from happening?
infosecdweeb added a comment to T4806: Give installs more control over session expiry / prompt for reauth before taking security actions.
There are actually legitimate security controls when you have sessions that don't expire. Cross site request forgery (CSRF) attacks specifically take advantage of persistent session tokens and use them to take action as the user that was granted the token.