SSL Token Timeout

From: woodylsmo (hparker_at_fbdconsult.com)
Date: 09/30/03


Date: Tue, 30 Sep 2003 05:58:28 -0700


We had an incident where a client contacted our secure web
server and accessed a record via SSL. Our web server is
running IIS 5.0 and it is tied to a SQL2K server for the
database records. This user logged into the secured urs
using HTTPS:\\urlname. Once the user got there account
information, they cut and pasted the entire ssl key from
there IE browser into an Email message that was sent to
the entire company of the user. Once individuals within
the company received the email, they were able to just
click on the link and gain full access to the secured
website and all of the records in the database.

Is there a way to tell SSL to timeout faster, or timeout
once the user leaves the current web page? Can we somehow
prevent cut/copy/paste of the public SSL Key? What is the
default timeout for SSL Keys and how do I change it. I am
not sure how exactly to handle this but I know this has to
be prevented. Can anyone give me some answers.