Page MenuHomePhabricator

infosecdweeb (Corey Wade)
User

Projects

User does not belong to any projects.

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Wednesday

  • Clear sailing ahead.

User Details

User Since
Feb 26 2015, 7:37 PM (512 w, 3 d)
Availability
Available

Recent Activity

Feb 26 2015

infosecdweeb added a comment to T4806: Give installs more control over session expiry / prompt for reauth before taking security actions.

Nope, I'm not pitching consulting services. I joined the conversation at the request of a member of my ops team, I am stating that allowing a token to remain valid for 30 days needlessly increases the attack surface of the application.

Feb 26 2015, 9:15 PM · Restricted Project, Auth
infosecdweeb added a comment to T4806: Give installs more control over session expiry / prompt for reauth before taking security actions.

Cross site request forgery (CSRF) attacks specifically take advantage of persistent session tokens and use them to take action as the user that was granted the token.

We rotate CSRF tokens. They are not the same as session tokens.

The tokens that allow for persistent access to a site can be used for CSRF attacks. Do you have specific protections in place to keep this from happening?

Feb 26 2015, 8:05 PM · Restricted Project, Auth
infosecdweeb added a comment to T4806: Give installs more control over session expiry / prompt for reauth before taking security actions.

There are actually legitimate security controls when you have sessions that don't expire. Cross site request forgery (CSRF) attacks specifically take advantage of persistent session tokens and use them to take action as the user that was granted the token.

Feb 26 2015, 7:43 PM · Restricted Project, Auth