AuthSub session token never expires; security issue?

Question

AuthSub session token never expires; security issue?

I use GData AuthSub, so my administrative application does not need to store user / password information. I just got to the point where in the documentation where I learned how to exchange the first one-time token for a session token ( http://code.google.com/apis/accounts/docs/AuthSub.html#AuthSubSessionToken ). And this statement popped up on me:

You can ignore the expiration date that is not currently in use; session tokens do not expire effectively.

Did it help you explain how an inactive token is not a security issue? What does it mean to not expire effectively? Theoretically, if a malicious application manages to get one of these tokens, can it continue to use it regardless of password changes? Can I find out which tokens are currently issued in my Google account?

In short, my paranoia has strengthened, and I need a smart mind to console me!

EDIT: You can manually revoke tokens at https://www.google.com/accounts/IssuedAuthSubTokens

+4

security session gdata authsub

Neil C. Obremski Oct 05 '09 at 18:37

source share

1 answer

rook · Accepted Answer · 2010-01-20T19:11:12+0000

Yes, in fact, if the session token never expires, the vulnerability is recognized by CWE-384 , if the session takes a really long time to expire, then this is a violation of CWE-613 . Both CWE pages provide a great explanation of the vulnerability. I do not know the specifics for these applications, but usually the session token can be used for immediate authentication without the need for a username / password.

AuthSub session token never expires; security issue?

More articles: