Jeff Atwood of Coding Horror posted a flawed article on why session expiration is bad.  The gist of his article is that it presents poor user experience which should trump the security concerns.  I will not deny that the user experience with session expiration is less than ideal, the whole idea of sessions to begin with is an ugly hack to get around the fact that HTTP is stateless and that the best end user authentication scheme that we have come up with is a login screen with easily stolen personal credentials.  Until a better scheme is brought up, which will be no small thing, it is something that we just have to live with.

That is not to say that the user experience can’t be improved.  Saving a session state, so that when the user is forced to authenticate again they don’t lose progress, is imminently doable and would improve the experience when sessions expire.  Getting rid of session expiration entirely is a horrible idea though.  Jeff seems to think that the risk of persistent sessions is someone sniffing the sessionID over the wire and that SSL/TLS completely mitigates that.  To me that is a low concern (sensitive data should always go over an encrypted channel, but network sniffing is rarely efficient anywhere outside of an intranet), relative to the threat of CSRF, cross site script attacks against the cookie storing the sessionID, and if the HTML 5 working group gets their way, XMLHttpRequest going across domains and passing cookies (fortunately it seems both FireFox 3 and IE 8 are inclined not to do so- take that Opera).  Regardless of how long the session is valid there is some risk from these attacks, but having persistent cookies extends the length of exposure after the sessionID has been compromised.

With the widespread presence of cross site scripting and the relative lack of protection against CSRF these are very really security concerns that are highly likely to be present on most websites.  If neither were present it would be safer to have longer sessions, but I think it would be naive to assume their absence.  Defense in Depth is a mantra for a reason.  Yeah, it sucks for the user somewhat, but erring on the side of usability is a Windows 98 style mistake.

What bothers me about Jeff’s post isn’t that a developer feels that way, sadly that is pretty common, but that a fairly competent developer with a large readership is evangelizing an unsafe practice.  It is, in effect, the same thing as Joel Spolsky of JoelOnSoftware fame advocating the avoidance of Exception Handling.  It is a bad practice and it concerns me that someone with such high visibility would actively be promoting it.  I think it also illustrates how security ignorant developers really are, when even such senior individuals don’t understand how bad a suggestion really is.  I could be wrong though, Jeff may understand- many of his past points stress usability and he could be of the mindset that usability trumps all other concerns (it is important, but it is one of many considerations that must be weighed).

~ Joshbw

This entry was posted on Thursday, April 17th, 2008 at 9:13 am and is filed under General Ramblings. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.