Webnodes still grants access when login times out

Reply to thread

42 posts

Reply Quote

19.06.2013 02.25

When the .APSXAUTH cookie has expired, a user still has access to restricted nodes if the ViewSessionId is still valid. Thus, setting the login timeout has very little effect in terms of restricting access. Could it be possible to verify the cookie before granting access in WAFContext.Session?

Or have I missed something? :)

Regards,

Emil

120 posts

Reply Quote

Ole Gulbrandsen

19.06.2013 09.02

By default the session timout is set to the same as the ASP.Net timeout + 10 minutes.

Here is the internal code for it:

            if (!WAFRuntime.Engine.IsSessionTimeoutSet) {
                WAFRuntime.Engine.SessionTimeout = new TimeSpan(0, httpSession.Timeout + 10, 0);
            }

You can set your own by setting this value manually:

WAFRuntime.Engine.SessionTimeout

or perhaps better, specify it in the web.config by addting this:

The unit is minutes.

Will this help?

42 posts

Reply Quote

Emil Müller

20.06.2013 03.11

Seems to work at first glance :)

Now begs the question -- does Webnodes sessions use sliding or absolute expiration? My auth cookie needs to reflect on this :)

Thanks for the help! :)

120 posts

Reply Quote

Ole Gulbrandsen

20.06.2013 08.38

The Webnodes Session uses a "sliding expiration". Each request related to a session will reset the count down.