What if we limit the number of sessions a user
can have active at any point in time? We know beforehand how many
sessions a specific user needs. Typically, a senior claim analyst
uses a session to do his or her work, and perhaps opens up another
to answer a question from a junior analyst. A maximum of two
sessions, then, is adequate for a senior analyst, but only one is
adequate for a junior analyst. Profiles are used to limit the number
of concurrent sessions for a specific username. This parameter
specifies that limit.
– The other technique that
hackers employ is using the database session of other legitimate
users after their regular work. However, if there is a limit on the
maximum amount of time a user session can stay connected to the
database, the sessions are automatically disconnected.
HIPAA rules do not mandate this, but they do
recommend using some sort of mechanism to limit the time so that a
malicious intruder has fewer resources. This parameter in the
profile enforces that limit. Expressed in seconds, it limits the
maximum time a user can stay connected to the database. After this
limit expires, the sessions are automatically disconnected.
In this case, let's assume the senior claim
analyst connects at 8 in the morning, goes to lunch at 12 noon,
comes back at 1 and works till 5. Therefore, she works for only 4
hours at a stretch. Given another hour for some extra work, 5 hours
should be the maximum time for the senior claim analyst to work, and
that should be the limit. Expressed in seconds, it is 5 times 60
times 60, i.e. 180000.
Hackers typically wait for a legitimate user to be connected but
idle. Then they hijack the session to carry out their task. Idle
time while connected is one of