Insecure session expiration time
Need
Enforce secure session expiration time
Context
- Usage of C# for developing robust and efficient software applications
- Usage of Microsoft.Extensions.DependencyInjection for dependency injection in .NET applications
- Usage of Microsoft.AspNetCore.Session for managing user sessions in ASP.NET Core applications
Description
Non compliant code
services.AddSession(options =>
{
options.IdleTimeout = TimeSpan.FromHours(1);
});
The vulnerable code is in the configuration of the session timeout. The IdleTimeout property is set to one hour. This means that a user's session does not expire until one hour of inactivity. This is a security risk because if a user leaves their device without logging out, someone else could potentially use their session for up to an hour.
Steps
- Reduce the session idle timeout to 5 minutes.
- Update the session configuration in the code to reflect the new idle timeout value.
- Test the application to ensure that user sessions expire after 5 minutes of inactivity.
Compliant code
services.AddSession(options =>
{
options.IdleTimeout = TimeSpan.FromMinutes(5);
});
The original code had a session idle timeout of 1 hour. This means that a user's session would remain active for up to 1 hour of inactivity, which is a security risk. If a malicious actor gains access to a user's session, they could potentially have up to an hour to perform unauthorized actions.
The updated code reduces the session idle timeout to 5 minutes. This means that a user's session will expire after 5 minutes of inactivity, significantly reducing the window of opportunity for a malicious actor to exploit an active session.
After updating the code, it's important to test the application to ensure that the new session expiration time is working as expected. This can be done by logging in, waiting for more than 5 minutes without any activity, and then trying to perform an action. The application should require the user to log in again, indicating that the session has expired.