In a web application there are several pages in which you have sensitvie data and actions like access controls or user management page. Is it a good idea to re-authenticate user to access those pages? If yes, should they be re-authenticated for each access or is it enough to re-authenticate once till the end of session. Is there any rule about it?
Asked
Active
Viewed 94 times
1 Answers
0
... pages in which you have sensitvie data and actions like access controls or user management page. Is it a good idea to re-authenticate user to access those pages?
From the standpoint of risk mitigation it is a good idea. From the standpoint of usability it is annoying when work flows too often get slowed down by the need for re-authentication.
Is there any rule about it?
The rule is to find the right balance between risk mitigation and usability. This is specific for each use case, i.e. what risks you actually need to address, what usability is necessary and what annoyances are acceptable etc. It might also depend on variations of the use case, i.e. risks might be different if users accessing the data is physically inside the company or if they are logged in from outside.
Steffen Ullrich
- 184,332
- 29
- 363
- 424
-
Thanks you @Steffen – yenafaramn Aug 12 '20 at 06:21