User Details
User Details
- User Since
- Feb 26 2015, 7:37 PM (512 w, 3 d)
- Availability
- Available
Feb 26 2015
Feb 26 2015
infosecdweeb added a comment to T4806: Give installs more control over session expiry / prompt for reauth before taking security actions.
Nope, I'm not pitching consulting services. I joined the conversation at the request of a member of my ops team, I am stating that allowing a token to remain valid for 30 days needlessly increases the attack surface of the application.
infosecdweeb added a comment to T4806: Give installs more control over session expiry / prompt for reauth before taking security actions.
The tokens that allow for persistent access to a site can be used for CSRF attacks. Do you have specific protections in place to keep this from happening?
infosecdweeb added a comment to T4806: Give installs more control over session expiry / prompt for reauth before taking security actions.
There are actually legitimate security controls when you have sessions that don't expire. Cross site request forgery (CSRF) attacks specifically take advantage of persistent session tokens and use them to take action as the user that was granted the token.