Question of Session Management

[nedbert9]

I'd like to solicit opinions of Web dev's and technically versed on security practices and associated risks surrounding Web session management.

I appreciate your time and feedback.  

(There is a point to these questions, but I want to get opinions that are as unbiased as possible prior to revealing my reasoning)

Banking site used the questions below can and should be substituted for whatever site you feel has significantly high value for attack.

A better example is to think of a Bitcoin related site where the target value is very high.

1.  Does the web site of your financial institution, specifically authenticated account area, allow persistent session tokens / ID across browser window sessions (closing tab/re-opening site)?
2.  Does any web site of sufficient importance and sensitivity to you allow long, hours/days, session token expiration periods? (bitcointalk excluded
3.  Would you feel comfortable with highly sensitive web sites, such as your online banking, not forcefully expiring sessions either on short (10 minutes) timer or at browser session termination?

4.  Would you feel comfortable with a non technical person of close relationship to you using a sensitive web site that persists session ID's as defined above?
5.  Do you feel that users of sensitive sites neglecting to use manual session management triggers (log-out) is a valid use case and should be planned for and countermeasures implemented?



Thanks.

[1714103002]

1714103002

[1714103002]

1714103002

[1714103002]

1714103002

[1714103002]

1714103002

[1714103002]

1714103002

[Revalin]

I reject your premise.  I know most people are paranoid about their banking logins, but in my opinion there actually isn't that much damage that can be done by getting access to my account.  It's very hard use a login to send money irrevocably and untraceably to someone else.  Any receiving account can be reported to the police and the recipient brought in for fraud.

BTC requires much more paranoid security.

As for your questions:

1. I have active accounts at several banks, credit unions and investment firms.  Most allow me to close and reopen tabs; none create a session which will persist across browser restarts.

2. They are all in the range 10m to 45m.

3. Yes.  I actively subvert their security (which I consider unnecessary) by using a password manager with auto-login.  However, I only do so from my own computers which are encrypted and auto-lock.  I never enter passwords on computers I don't control, but if I did, I would want a short session expiration.

4. Yes, because I don't consider a random banking web site to be "sensitive".  Getting money out is hard, so it's only a privacy concern for people physically commandeering their computer after they walk away - the data is too low value to be targeted by a widespread virus.  I would not recommend setting persistence as default, but having it as an option is fine and people who set it can reasonably be expected to log out when they're done.  I would not recommend persisting across browser restarts, however.  A Bitcoin-related site where theft is much more plausible deserves a more paranoid approach.

5. Yes, the countermeasures should be there by default, but in my opinion in most cases it's fine to have an option to disable them.

[nedbert9]

I reject your premise.  I know most people are paranoid about their banking logins, but in my opinion there actually isn't that much damage that can be done by getting access to my account.  It's very hard use a login to send money irrevocably and untraceably to someone else.  Any receiving account can be reported to the police and the recipient brought in for fraud.

BTC requires much more paranoid security.

As for your questions:

1. I have active accounts at several banks, credit unions and investment firms.  Most allow me to close and reopen tabs; none create a session which will persist across browser restarts.

2. They are all in the range 10m to 45m.

3. Yes.  I actively subvert their security (which I consider unnecessary) by using a password manager with auto-login.  However, I only do so from my own computers which are encrypted and auto-lock.  I never enter passwords on computers I don't control, but if I did, I would want a short session expiration.

4. Yes, because I don't consider a random banking web site to be "sensitive".  Getting money out is hard, so it's only a privacy concern for people physically commandeering their computer after they walk away - the data is too low value to be targeted by a widespread virus.  I would not recommend setting persistence as default, but having it as an option is fine and people who set it can reasonably be expected to log out when they're done.  I would not recommend persisting across browser restarts, however.  A Bitcoin-related site where theft is much more plausible deserves a more paranoid approach.

5. Yes, the countermeasures should be there by default, but in my opinion in most cases it's fine to have an option to disable them.

Good points.  The premise you assumed isn't what I had in mind.  I edited the post to be slightly more specific since going down the path of banking website as an example seems to have strayed from the intent of my questions.

I really do appreciate the thoughtful response.

I find it interesting in your response to multiple questions that you state users should be reasonably expected to use session management functions (log-out) but at the same time do not deny the use case of users not manually terminating their session and the need for appropriate countermeasures for this case.

I guess my feeling on this is that when expected user involvement is applied on a grand scale a security system can fail and this is exactly why countermeasures to vulnerabilities are needed.