security - How can you configure session timeout in the Azure Portal? -
we have been using azure 5 years, , concerned security.
one thing not understand why there no session timeout in azure portal (e.g. automatically sign out after 30 minutes of inactivity). know, if have access portal you can delete click of button.
i always start portal in chrome incognito mode, , sign in two-step authentication. forget close browser, , when resume laptop after few days have hit f5, , have access everything. worse... if navigates away portal , revisits after few days still signed in.
is possible configure session timeout, ensure session not live forever?
start out asking what's attack vector?
if it's can come along , resume session, can lot more damage. if attacker can access computer unlocked, can worse. example, install modified browser keylogs , sends them. or worse can execute man in browser attack. session expiry going extremely little since gain access next time login.
the same attacks happen if you're using shared computer.
in vast majority of cases short timeouts against extremely primitive attackers. in general, user experience pain provide far outweighs possible security benefit.
which why non-bank systems have gone away short session timeouts...