Reputation: 11793
How can you configure session timeout in the Azure Portal?
We have been using Azure for almost 5 years, and we are very concerned about security.
One thing I really do not understand is why there is no session timeout in the Azure Portal (e.g. automatically sign out after 30 minutes of inactivity). As you hopefully all know, if you have access to the portal you can delete everything with a click of a button.
I always start the Portal in Chrome Incognito mode, and sign in with two-step authentication. Sometimes I forget to close the browser, and when I resume my laptop after a few days I just have to hit F5, and then I have access to everything. Even worse... if you just navigates away from the portal and revisits it after a few days you are still signed in.
Is it possible to configure session timeout, to ensure a session does not live forever?
Upvotes: 1
Views: 26850
Answers (4)
Reputation: 1
To resolve session expired problems in Azure, check your PC's date and time settings. An incorrect date and time can cause authentication tokens and sessions to expire prematurely. Ensure your system clock is accurate and synchronized with an internet time server.
Upvotes: 0
Reputation: 111
This option is now available in the Azure portal for Tenant/directory administrators. Click the portal settings (gear) icon and then click the 'Configure directory level timeout'. Enable the feature, set a time span (hours and minutes) and click Apply. Once configured, the changes will take effect after a logout/login and all users of the tenant will see a message in the portal settings pane.
Upvotes: 3
Reputation: 11
I am not sure if at the time you did it this feature was not available, but there is a way to do an "inactivity logout".
Upvotes: 1
Reputation: 165261
Start out by asking what's the attack vector?
If it's that someone can come along and resume your session, they can do a lot more damage. If an attacker can get access to your computer unlocked, they can do SO MUCH WORSE. For example, they could install a modified browser that keylogs everything and sends it to them. Or even worse they can execute a Man In The Browser Attack. Session expiry is going to do extremely little since they will just gain access next time you login.
The same attacks happen if you're using a shared computer.
In the vast majority of cases short timeouts only help against extremely primitive attackers. In general, the user experience pain the provide far outweighs any possible security benefit.
Which is why most non-bank systems have gone away from short session timeouts...
Upvotes: 0
Related Questions
- Azure authentication .net MVC timeout settings
- Is it possible to change the connection time out setting for IIS in Azure App Services
- Session Timeout in Azure
- How to set session timeout more than 20 min.?
- Session state server custom timeouts for users
- How can set different session timeout
- Session time out setting in ASP.Net
- Sliding Expiration in Windows Azure
- How to increase Azure ACS login timeout
- Session timeout in web application on window Azure platform