Description
A session timeout is an event occurring when a user does not perform any action on a website during a time frame which leads to making the session status invalid and instructs the web server to destroy it. Missing Session Timeout happens when the application doesn't time out the session or the time frame is very long thus allowing an attacker having the user session to use it without limitations
Attack Scenario
An attacker can try to steal and use an existing user session in a specific time frame as session timeout defines an action window time for a user, this window represents the time the attacker will have to take malicious actions.
Mitigation
- Set session timeout to the minimal value possible depending on the context of the application.
- Avoid “infinite” session timeout.
- Trace session creation/destruction in order to analyze the creation trend and try to detect a normal number of session creations.
ID: 10004