Page 1 of 1

Session Expiration

Posted: Mon Jul 18, 2011 10:51 am
by bjeup
I sent this question in to 'support@inforouter.com' but also wanted to post in here for everyone's benefit.

Would you be able to tell us when (if at all) InfoRouter sessions expire?

We have noticed that moving session data (via cookies) between machines allows us to login as other users. Obviously this is why users in Firefox are instructed to clear their sessions/cookies to logout properly. Unfortunately if I capture a cookie prior to doing this I can then import this cookie and be logged in as that user. We were also able to replicate the same sort of behavior with IE using the debugging tool 'Fiddler2'. Needless to say this represents a bit of a security concern.

Is there a length of time for which sessions are valid on the server side? Any info on this topic would be greatly appreciated.

Re: Session Expiration

Posted: Tue Jul 19, 2011 12:05 pm
by infoRouter Guru
Okay, here it goes "for everyone's benefit":

Sessions expire every 20 minutes and Yes they can be copied from one workstation to the other. However the process is a little more complicated than what you would expect.
The browser header contains login information which cannot be copied from one workstation to the other. If the session expires, the corresponding ticket on the server is cleared out. When this happens, the client will not be able continue with just the cookie at hand.

This scheme will be changed in version 9 leaving no room for such a gap. Stay tuned.

The Guru