Session Expiration

infoRouter Document and Folder Security forum. Access controls for documents and folders.

Moderator: infoRouter Guru

Post Reply
bjeup
Posts: 3
Joined: Mon Jul 11, 2011 11:06 am

Session Expiration

Post by bjeup » Mon Jul 18, 2011 10:51 am

I sent this question in to 'support@inforouter.com' but also wanted to post in here for everyone's benefit.

Would you be able to tell us when (if at all) InfoRouter sessions expire?

We have noticed that moving session data (via cookies) between machines allows us to login as other users. Obviously this is why users in Firefox are instructed to clear their sessions/cookies to logout properly. Unfortunately if I capture a cookie prior to doing this I can then import this cookie and be logged in as that user. We were also able to replicate the same sort of behavior with IE using the debugging tool 'Fiddler2'. Needless to say this represents a bit of a security concern.

Is there a length of time for which sessions are valid on the server side? Any info on this topic would be greatly appreciated.

User avatar
infoRouter Guru
Posts: 230
Joined: Fri Aug 07, 2009 8:46 pm

Re: Session Expiration

Post by infoRouter Guru » Tue Jul 19, 2011 12:05 pm

Okay, here it goes "for everyone's benefit":

Sessions expire every 20 minutes and Yes they can be copied from one workstation to the other. However the process is a little more complicated than what you would expect.
The browser header contains login information which cannot be copied from one workstation to the other. If the session expires, the corresponding ticket on the server is cleared out. When this happens, the client will not be able continue with just the cookie at hand.

This scheme will be changed in version 9 leaving no room for such a gap. Stay tuned.

The Guru

Post Reply

Return to “infoRouter Document and Folder Security”

Who is online

Users browsing this forum: No registered users and 2 guests