11 September 2009

What is Insufficient Session Expiration?

Insufficient session expiration in the context of a web site or web application, is when the site allows someone to reuse old session credentials or session identifiers for authorisation, and is one of the threats included in the Web Application Security Consortium (WASC) threat classification.

Once a user has logged on (authenticated), the idea is that restricting the period of inactivity before they have to re-authenticate is beneficial. But this aspect needs to be considered carefully in the context of user behaviour, the risks to information and accessibility. The other side to the problem is ensuring the session is terminated (destroyed permanently) when a user actually logs out or they time out.

In the context of a train journey (the session), the ticket (session identifier) may allow me to travel on a particular route but may not specify the particular train. This means that train operators have to ensure they invalidate the tickets by marking or punching them at the time of travel (terminating the validity of the ticket).

If this were not done, an open, unrestricted, ticket could be used by the purchaser forever, or if discarded, used by someone else who acquired it.

Two UK railway tickets, one punched with a date stamp after being used on a journey

These example tickets have restrictions such as the type of traveller, routes and start date but also have an expiry date, although this is depends on the type of ticket and may be the same day as the purchased journey, or perhaps a month in the case of some return tickets. Data are also recorded on the magnetic strips on the reverse (not shown). After these dates, the ticket is invalid. Like web site terms and conditions, travel by train is subject to the National Rail Conditions of Carriage. Interestingly, these ticket examples bought online have the passenger's name printed on them.

Of course, you don't want users to make their own tickets up, especially if the station and on-board facilities don't have any way to validate the authenticity of the ticket other than by visual inspection. That's why self-service ticket machines print "VOID" on mis-printed tickets.

Two UK railway ticket blanks, one printed with 'VOID VOID VOID VOID' across the middle, and the other with nothing printed on it

Or at least they should do. I found the above pair of ticket blanks—one voided and one not—lying on top of a ticket machine. Don't let users make up or predict session identifiers for your web site either. For further guidance read session management.

Posted on: 11 September 2009 at 07:32 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

Comments

Comments are filtered automatically and should appear shortly after they been checked.

Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
What is Insufficient Session Expiration?
http://www.clerkendweller.com/2009/9/11/What-is-Insufficient-Session-Expiration
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/2009/9/11/What-is-Insufficient-Session-Expiration
Requested by 38.107.179.223 on Tuesday, 7 February 2012 at 21:35 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2009-2012 clerkendweller.com