5

I am looking at the session management again of a site and currently it renews the client session id on every page refresh. The idea being that if it is stolen directly from the browser there is less chance of the session being hijacked.

This though doesn't seem to make sense. If it is possible for some kind of malware or browser vulnerability to output a session id to a hacker, then they should quite easily be able to hijack that session regardless of the new session being created each time, as they would 'get there first'.

From what I can tell there is simply no way to solve that kind of issue by focussing on the session token itself but rather matching other users profile information is more reliable. And of course asking for the password for critical changes.

So is there any point at all in creating an new session token for every page load, it seems a bit pointless and a waste of resources. In fact if so many ids are being created there would be a higher chance of guessing a session randomly.

Would not changing the session token at all be acceptable during a session or should it maybe renewed every couple of minutes?

Kline
  • 51
  • 2
  • Whether or not it makes sense, default session limits are 20 minutes under IIS. But it can be changed in the HTML code. What really helps security, though, is that all sessions are terminated when you close the browser entirely. – SDsolar May 21 '17 at 04:46

1 Answers1

3

You are right that it doesn't really provide more security.

Except usability problems and increased complexity, I'm not sure what it brings. For example, if you change the session_id and invalidate the previous session_id on every request, your user won't be able to use many tabs in his browser.

Also, as you stated it doesn't stop an attacker to get in there first and use the session_id before the real user.

Is it acceptable to not change the session_id?

Yes, while the user is logged in there is no reason to change it.

So, then, how long should the user stay logged in?

It always depends on the security your application need. For example, stackoverflow doesn't reset my session if I don't log in for a week. It doesn't reset it even if I close my browser. On the contrary, my bank website will close my session if I'm inactive for like 10 minutes or if I close my browser tab.

Leaving a session open increase the risk that it can be stolen. If it's crucial to keep the session safe then change it often. The idea here is to define rules about when you need to change it and to balance security and usability.

Note : The session_id security is pretty similar to CSRF token. Here's a similar question : Why refresh CSRF token per form request?

Gudradain
  • 6,921
  • 2
  • 26
  • 43