On Sun, Apr 1, 2012 at 11:51 PM, Tharindu Mathew <[email protected]> wrote:
>
>
> On Sun, Apr 1, 2012 at 9:26 PM, Amila Jayasekara <[email protected]> wrote:
>>
>> On Fri, Mar 30, 2012 at 3:34 PM, Dimuthu Leelarathne <[email protected]>
>> wrote:
>> > Hi,
>> >
>> > I am - 0 for this. There are some negative effects of increasing session
>> > timeout.
>> >
>> > 1) Objects we keep in the session can grow. This will be multiplied by
>> > the
>> > number of users with active sessions
>> > 2) Security risk is marginally increase.
>>
>> I agree with Dimuthu. In default implementation we should ship
>> products with maximum security. If needed users can change security
>> levels by modifying config files.
>>
> I disagree. In default implementation we should ship products with maximum
> usability. If needed users can change security by modifying config files.
Hi Tharindu,
I was not comparing security and usability. Of course the product must
be usable with maximum security.
If we ship the product with medium/low security level, most probably,
users will get to know that, they have to tweak some configurations
in-order to achieve maximum security, only after facing an attack.
Therefore it is better to ship default configurations with maximum
available security. When I say maximum security it doesnt mean user is
not allowed to login. User will get all available functionalities with
maximum security. This is the norm followed by most of other software
products. (Including Operating Systems, such as Windows)
E.g :-
Shipping product with support for only strong SSL ciphers. If a
customer want to support for medium/low SSL cipher, he/she have to
change configurations. But in default configuration, we should only
support strong SSL ciphers, so that an attacker will be unable to
carry out a brute force attack.
For this particular scenario, one vulnerability I see is, some
UN-authorized user gaining access to management console after keeping
user's machine unlocked for some time. I am not quite sure about the
correct value for the session time. But if we are increasing that
value, we need to reason out the “new value” properly, based on real
usage.
Thanks
AmilaJ
>>
>> Thanks
>> AmilaJ
>>
>> >
>> > tx,
>> > dimuthu
>> >
>> >
>> >
>> > On Fri, Mar 30, 2012 at 3:26 PM, Amila Suriarachchi <[email protected]>
>> > wrote:
>> >>
>> >>
>> >>
>> >> On Thu, Mar 29, 2012 at 3:21 PM, Tharindu Mathew <[email protected]>
>> >> wrote:
>> >>>
>> >>> Hi,
>> >>>
>> >>> Let's do $subject. What we ship by default is a toy value good for
>> >>> running samples.
>> >>>
>> >>> When we are doing some lengthy work it will definitely timeout in the
>> >>> middle of work and this is really frustrating for users.
>> >>>
>> >>> It should at least be 30 mins IMO
>> >>
>> >>
>> >> +1
>> >>
>> >> thanks,
>> >> Amila.
>> >>>
>> >>>
>> >>> --
>> >>> Regards,
>> >>>
>> >>> Tharindu
>> >>>
>> >>> blog: http://mackiemathew.com/
>> >>> M: +94777759908
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> Dev mailing list
>> >>> [email protected]
>> >>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>> >>>
>> >>
>> >>
>> >>
>> >> --
>> >> Amila Suriarachchi
>> >>
>> >> Software Architect
>> >> WSO2 Inc. ; http://wso2.com
>> >> lean . enterprise . middleware
>> >>
>> >> phone : +94 71 3082805
>> >>
>> >>
>> >> _______________________________________________
>> >> Dev mailing list
>> >> [email protected]
>> >> http://wso2.org/cgi-bin/mailman/listinfo/dev
>> >>
>> >
>> >
>> >
>> > --
>> > Dimuthu Leelarathne
>> > Technical Lead
>> >
>> > WSO2, Inc. (http://wso2.com)
>> > email: [email protected]
>> >
>> > Lean . Enterprise . Middleware
>> >
>> >
>> > _______________________________________________
>> > Dev mailing list
>> > [email protected]
>> > http://wso2.org/cgi-bin/mailman/listinfo/dev
>> >
>>
>>
>>
>> --
>> Mobile : +94773330538
>> _______________________________________________
>> Dev mailing list
>> [email protected]
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>
>
>
> --
> Regards,
>
> Tharindu
>
> blog: http://mackiemathew.com/
> M: +94777759908
>
--
Mobile : +94773330538
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
