Why do (people make) Sessions Expire? And what can we do about it?

From IIW

Why Do (People Make) Sessions Expire?

Tuesday 1G Convener: William Denniss, Guidin Kong

Notes-taker(s): Jim Fenton

Tags for the session - technology discussed/ideas considered:

Reauthentication ~ Session management ~ Cookies

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Lively discussion of the reasons that sites/applications expire sessions. About 40 people present.

  • Garbage collection
  • Remind users of their passwords
  • Lack of session revocation
  • Compliance, e.g., PCI
  • Customer recommendations
  • OWASP recommendation
  • Habit
  • Lack of continuous authentication
  • User walk-away (and walk-up by someone unauthorized)
  • Undetected changes in user authorization (user fired from job, etc.)

Some issues:

  • Lack of trust in user agent
  • Lack of reliable identification of user agent (currently self-asserted)
  • Caching of credentials by user agent unbeknownst to relying parties
  • Lack of single logout
  • Fixed vs. mobile uses (no session expiration for mobile)
  • Can’t detect user activity

Interesting factoid: Apple reports that typical users unlock their phones 80 times a day.