I have a user pool & respective identity pool(where auth role is provided with sts:AssumeRoleWithWebIdentity).
I want the session duration to be more than 1 hour(i believe that is the default time).
How can i do that ?
I was able to increase the max session duration in the role, but is there any way to increase the session duration for sts.
I am very very very new to AWS, i am working with (monkey see monkey do) approach. Don't know the in's and Out of it.
Any help would be appreciated
Related
Concerning cookies expiration time what is the best practice for a secure application ?
The login system is a SSO that I can't manage, so the ["remember me"][1] option is not possible.
There are 2 solutions
Time expiration, the cookie would expire after a specific amount of time, i.e. 4 hours. But if the user use a shared computer and forgot to log out, another user could access the web application.
Session expiration, the cookie would expire after the web browser is closed (or [even worse][2]. But what if the user never close his session and always keep is computer turned on. The cookie would never expire even if the user doesn't need access to the web application.
Is there not a way to do both at the same time? Base the cookie expiration on the session with a maximum duration of time...
NB : Believing in a security aware user is a sweet dream, thus trust in the user log out is not feasible.
.
[1]: What is an acceptable expiration time for a cookie
[2]: When does a cookie with expiration time 'At end of session' expire?
Since no one else has taken a stab at this question, I'll hopefully get the ball rolling, lol. I'm not sure if this will exactly answer your question, but I'll try my best :).
I think that given the 2 solutions you have presented, along with the dependency of the user behavior, I really don't think there is a good answer in terms of "best practice" (which may also be subjective).
If both solutions were used (that is, a cookie that expires after a specific amount of time [i.e, 4 hours] OR at the end of a session) you would also take on the "con's" of each of those approaches. So, if the user forgets to log out within the expiration period and does not close their session, there is an issue.
So what I am saying is that in any case, the security is based on the user behavior and there will always be these flaws. Using a mix of solutions (defense-in-depth), as you have suggested, is a good line of thinking.
I would like to configure the custom policy so that
A user who has not been active for more than 1 day will be logged out and forced to sign in again.
If they continuously use the app then they their session will be able to keep on using the app more many days
But after 30 days, even if they've been using the app everyday, they will be forced to log out, and need to login again. Is this possible?
I tried to accomplish this with web session but can't seem to find a way.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#configure-azure-ad-b2c-session-behavior
It might not be 1 day rolling and 30 day upper limit. Maybe it's 1 hour rolling session and 1 day upper limit. So user will need to log in again after 1 hour of idle, or if they keep on using the app, they will need to login again after 24 hours.
Set the following:
1hr access token lifetime
24hr refresh token lifetime, absolute length (fixed 24hrs for SPA apps). Reduce this time below (3) to give higher chance of web session being extended.
24 hr web session rolling. Only extends when (2) expires but (3) is still valid.
It gets the closest to your requirements.
The standard refresh token time is 24 hours so that should cover the day of inactivity.
You shouldn't need a rolling session.
Make the web app session timeout "Absolute" which indicates that the user is forced to re-authenticate after the time period specified.
In terms of the forced password reset, look here.
Since a registration's expiration time is 90 Days.
So I plan to check first for every concern devices/registration before sending any notification.
Because I don't want to keep anything on server.
However, I'm not sure if it's good idea to do
Is it slow to do for lots devices ?
Also, I can not find a way to set Expiration time of any registration
So I've never seen result when sending to expired device ?
Can anyone suggest ?
the common recommended approach is to refresh registration on every app start-up per documented at https://azure.microsoft.com/en-us/documentation/articles/notification-hubs-registration-management/. This ensures that Notification Hubs holds the most recent token provided by the device PNS.
I have some problem in this specific scenario:
If my XPages application
If I have my Domino HTTP configure with Single server setting the Ext.lib Keep-Alive control work well...and my session don't expire.
But I I use Domino HTTP configured with Multiple SSO (LPTAtoken) with Firebug I see the Ext.lib Keep-Alive control work well (I see the PING request) but I don't know because my session expire.
Have someone any suggest for me?
Tnx you
p.s. my release in 9 social on linux 32 bit
What kind of key did you use when you created the LTPA token?
When using WebSphere LTPA keys, a token is assigned and it will expire when the time specified in the field Expiration (minutes) elapses, no matter whether you are actively using your application or not.
When examining the documentation for products that use WebSphere server (Sametime, Connections) I found that IBM suggests to set Expiration time to a long interval (such as 600) minutes to minimize the risk of users being logged out in the middle of a working day. I admit that this does not sound like a good suggestion security-wise.
I assume it is the same when using Domino LTPA keys, with the added option of being able to specify Idle Session Timeout.
So, you can either increase the token expiration interval (depending on your requirements this could be an easy fix) or go with Stephan's suggestion. I don't know how to code his approach, but if I find a solution, I'll update this answer.
In a single server setting the server tracks the validity of the cookie. So whenever you hit the server it is updated. In a multi server environment you get a new cookie before expiry. So you need to process the incoming cookie to replace the predecessor. Easiest way using a regular page and an iframe
I had an authentication problem in cakephp, when positing credentials from an external site the authentication would work, and then get immediately lost, with the site prompting for login information again.
This guy determined that the cakephp session cookie was changing. His solution was to set security to low.
Seems like in medium or high security Cake makes a double check for
referer... but with low security works fine when clicking auth-
protected links from external sites like hotmail or yahoo
This solution also worked for me, but what I am losing by setting cakephp to 'low' security?
When security is high, a new session ID get generated on every request. It is practically impossible to create a single-sign-on solution between two applications by sharing a session cookie in this case, since Cake will constantly change the session ID without notifying the other application.
When security is medium (or higher), session.referer_check is enabled.
When security is low, you don't have either of the above features, but it is still just as secure as any average PHP website/CMS out there.
The main thing that I know of is the session timeout, as per the app/config/core.php comments, in that your session timeout will be multiplied by a lower number.
The book backs this up,
The level of CakePHP security. The session timeout time defined in 'Session.timeout' is multiplied according to the settings here.
Valid values:
'high' = x 10
'medium' = x 100
'low' = x 300
'high' and 'medium' also enable session.referer_check
CakePHP session IDs are also regenerated between requests if 'Security.level' is set to 'high'.
Ref: http://book.cakephp.org/view/44/CakePHP-Core-Configuration-Variables
So the other thing looks to be the referrer checking.
session.referer_check contains the substring you want to check each HTTP Referer for. If the Referer was sent by the client and the substring was not found, the embedded session id will be marked as invalid. Defaults to the empty string.
So the looks of it, the things you are lose are the ability to accuratly determine who and which sessions you are dealing with.
I ran into a similar problem with losing sessions and many answers pointed to using $this->requestAction() as it will basically curl a request out of the app, so it can look like another session being created with a high security.
The other thing that many google answers threw up was turning off Session.checkAgent in your app/config/core.php as that meant the session would not be checked. This at least prevented me from losing the session information between page requests.
:)
two things happens when setting to 'low'
1)timeout is bigger
2)if session highjacking is easy, then it will be easier! since the session dosent regenerate between requests as when set to 'high'!
and nothing else.
by the way you can change for a specific page the security level or the session timeout or both... so it is not a no-undo-choice
I believe the only ramifications of setting this to low are that the session time is multiplied by 300 rather than 10 or 100 for high and medium respectively and the session refer check that you are having the issue with.
Update:
If you previously had this set to high, you would also loose out on the session id regeneration between requests.