Bradley, Peter wrote: > I wonder if I could pick some brains? > > According to the BBC: > > "Firefox 2.0 also has an improved session restoration system that will > let users resurrect tabbed webpages they accidentally closed or will > re-start a net session at the point before a crash." > > We already have difficulties with tabbed browsers in the sense that if a > user closes a tab, it doesn't close the session so users (and therefore > potentially others if the user leaves the machine unguarded) can jump > back into a session. Does the feature above mean life is going to be > even more difficult? Will sessions even be restored if the browser is > closed and re-opened? This is very important to us, because many of our > applications run on computers in public access areas. So they do get > left unguarded, and the urls to access the systems are obviously well > known: but they do deal with sensitive information, like disability data > &c. > > Or is there something in the .NET security model we should be using that > we've missed?
I'm supposing you mean ASP.NET. By default, ASP.NET sessions expire after 10 minutes of inactivity. This can be controlled with web.config's <sessionState timeout="<minutes>"> setting. During this time window, the browser can be recycled w/out losing the session. However, sensitive information is usually protected by an additional authentication layer. If this layer employs cookies, their expiration must not be set => browsers will not store the cookies on the disk either => recycling the browser kills the session. If a browser doesn't respect the empty expiration value, then ASP.NET (or any other web server framework that uses cookies for authentication) can't do nothing about it. Robert _______________________________________________ Mono-list maillist - [email protected] http://lists.ximian.com/mailman/listinfo/mono-list
