Why do (people make) Sessions Expire? And what can we do about it?
From IIW
Why Do (People Make) Sessions Expire?
Tuesday 1G Convener: William Denniss, Guidin Kong
Notes-taker(s): Jim Fenton
Tags for the session - technology discussed/ideas considered:
Reauthentication ~ Session management ~ Cookies
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Lively discussion of the reasons that sites/applications expire sessions. About 40 people present.
- Garbage collection
- Remind users of their passwords
- Lack of session revocation
- Compliance, e.g., PCI
- Customer recommendations
- OWASP recommendation
- Habit
- Lack of continuous authentication
- User walk-away (and walk-up by someone unauthorized)
- Undetected changes in user authorization (user fired from job, etc.)
Some issues:
- Lack of trust in user agent
- Lack of reliable identification of user agent (currently self-asserted)
- Caching of credentials by user agent unbeknownst to relying parties
- Lack of single logout
- Fixed vs. mobile uses (no session expiration for mobile)
- Can’t detect user activity
Interesting factoid: Apple reports that typical users unlock their phones 80 times a day.