Code sample contradicts readme #11
Comments
|
Hi, yes I appreciate this doesn't conform to their advice however making users login every 30 minutes is a royal PITA. The usability/security tradeoff comes in here and I would advocate a bit more usability. So long as ExpireTimeSpan is low then the risk is low. Obviously you might make a different decision for your application. |
|
It's 60 minutes according to their advise, but I agree it would still be a pain :). I guess this issue is more about the fact that there is a difference in the readme vs the code sample, namely
If the setting in the readme (no sliding expiration, regardless of timeout) is what is recommended then it seems a bit odd that the code sample they are linking to directly contradicts this. |
|
I think the advice should be low timeout but with sliding expiration. Or an application that warns you that it is going to timeout and prompts you to extend (like my bank does) |
SecurityEssentials/SecurityEssentials/App_Start/Startup.Auth.cs
Line 33 in 43665ca
This seems to contradict the readme:
https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/DotNet_Security_Cheat_Sheet.md#a2-weak-account-management
The text was updated successfully, but these errors were encountered: