Missing Session Timeout

Low

Description

A session timeout is an event occurring when a user does not perform any action on a website during a time frame which leads to making the session status invalid and instructs the web server to destroy it. Missing Session Timeout happens when the application doesn't time out the session or the time frame is very long thus allowing an attacker having the user session to use it without limitations

Attack Scenario

An attacker can try to steal and use an existing user session in a specific time frame as session timeout defines an action window time for a user, this window represents the time the attacker will have to take malicious actions.

Mitigation

Set session timeout to the minimal value possible depending on the context of the application.
Avoid “infinite” session timeout.
Trace session creation/destruction in order to analyze the creation trend and try to detect a normal number of session creations.

ID: 10004

HQ Address

20 Al Mathaf Al Zerai, Agouza, Giza - Egypt
Phone: +2 02 333 638 86
Fax: +2 02 353 656 84
Email: sales@security-meter.com

Asia-Pacific Office Address

Unit 11-3A, 3RD Mile Square No.151
JLN KLANG LAMA, BATU 3 1/2
Kuala Lumpur Malaysia
Email: asia-pacific@security-meter.com

US Office

1-29A 14 Elmwood Park
New Jersey
07407 United States
Email: us@security-meter.com