Risks of Long-life Session

Indeed the question is pretty interesting. Either way it boils down to a risk assessment plus controls in place of each system. Roughly, we could imagine 2 undesirable consequences of long-life session:

  1. Somebody can just open browser with your logged account. Controls:

    • Close all sessions from another device via Account settings if you suspect that your personal device has been stolen.
    • Lock your personal device. Except that the session is 15 minutes long, there is no big difference between 7-week session and infinite session: somebody can use your computer if you don't lock it, and the session is usually being renewed infinitely until you use device. So you should lock your device and close all sessions from another device if your computer has been stolen.

  2. Somebody can steal your session ID and open it on another device. Controls:

    • User notification about that via Push Notifications, SMS, e-mail.

About controls in place of mentioned systems, let's look at each case:

  1. Stack Exchange has 1 week rolling session. Controls: you can login with Google or with custom e-mail, you can remove sessions, you can logout.
  2. GitHub has 45 days. Controls: there is a two-factor authentication (2FA), session control, backup e-mails, SSH keys, logout.
  3. Gmail has never-ending session. Controls: suspicious login detection, alerts, 2FA, backup e-mails, everything.... enter image description here

Keep in mind that the difference between 7 days and 45 days session policy is kind of subtle: while session is still active somebody can just open your browser if you forgot to lock your device. Therefore it looks like there is no too much to do about a not locked device, but GMail has pretty huge control about any suspicious activity. Anyways, security engineers select expiration time from their internal security risk assessment which may differ from case to case, it may differ from our perception, there is always a portion of subjectivity.


TL;DR Cookies can have a lifetime explicitly set, or expire at the end of a browsing session. The Expires attribute does not necessarily mean the user is considered "logged in" for that entire time.

From looking through the cookies

I think there is a misconception between the cookies and the application logic implemented around them. If you look at the cookies alone: some site use cookies before the user has even authenticated--so as to track anonymous users. The use of cookies can be for a wide range of tracking purposes, including tracking authenticated users.

A session cookie is a specific cookie that expires with the users browser session. Namely, when the user closes their browser the session cookies expire.

There is nothing stopping the server (application) from deciding require the holder of the cookie to (re)authenticate.


My opinion is that many services need to find a balance between security, usability, and also their business models. More and more companies want to collect as much data as possible about their users, and for that reason they want you to stay logged in all the time. These services often beg/nag you to log in or register, if you scroll their pages while logged out. Social media features also rely on sharing stuff quickly and almost compulsively, and that can be done comfortably only if you are already logged in to your social media websites, basically all the time. What about the security risks? They are probably considered to be negligible, thanks to all the other security controls these companies have implemented, and they probably decided it's not worth hurting their business model to gain a little more security.

Let's see the risks, and why they could have decided to leave them out of the equation.

  • Your brother uses your computer, and you forgot to log out. If your someone else has unrestricted access to your computer, you already have bigger problems to deal with. Making the session expire after a few hours instead of days won't have a significant impact on your security anyway.
  • You logged in from an internet cafe, and forgot to log out. Again, whenever you use someone else's machine, you are going to have bigger problems if you are not very careful. In any case, if the website allows you to "log out on all other devices", then you can stop the attacker's session as soon as you realize something is wrong. Also, 2FA is going to help, or even just setting a recovery option (email or phone). Most social media websites have those options, and some even beg/nag you to use them.
  • Someone steals your cookies. How, and what for? Websites that are serious about security use http-only cookies, HTTPS, HSTS, do security checks on your IP, your location, your device, your behavior, offer 2FA and various recovery options, etc.
  • CSRF and XSS. Some vulnerabilities allow you to steal cookies, or ride existing sessions. If you are logged out, these kinds of attacks might not work. But serious websites probably already implement CORS, Content Security Policies, don't allow browsers to load them in iframes, offer bug bounties, have internal security teams, develop and/or use artificial intelligence to monitor their business, etc. Would reducing the cookie expiration time to a few hours or even minutes have an impact, in this scenario?

To sum up, for those "big" companies reducing the session time isn't going to have a noticeable impact on their security. Making sessions expire too soon is actually going to hurt their businesses, because their users expect and are expected to be always connected. I still log out on every website when I'm done using it, because it's always a good habit: we now that not every website can be expected to follow the best security practices or invest enough resources in security like Google/Facebook/etc.

Tags:

Web Browser

Session Management

Related

Is it possible to store / record HTTPS client auth traffic as a signed document? Does the saying "physical access = game over" apply to smartphones, too? Where to store private and public keys? As a company, how can we prevent penetration testers from compromising our system? After changing Microsoft password, one can still login to previously authenticated Windows devices with old password indefinitely. Why? Should I be using ECDSA keys instead of RSA? How secure is this hash-based personal password scheme? Are password managers more secure than a slightly different password for each website? Security risks of fetching user-supplied URLs Can the Host Header be used to hide the existence of a service? How do unzip programs check if the password is correct? How did the brute-forcers get my IP address so quickly?

Recent Posts