57 lines
1.5 KiB
Plaintext
57 lines
1.5 KiB
Plaintext
Perhaps no one ever said "idle sessions are the devil's workshop", but they should have. Sessions that users have abandoned are vulnerable to being hijacked. To keep the window of danger as small as possible, any application which authenticates users should also time them out after as small as practical a period of inactivity.
|
|
|
|
|
|
This rule raises an issue when session timeout is set higher than the provided value.
|
|
|
|
|
|
== Noncompliant Code Example
|
|
|
|
With the default threshold of 15:
|
|
|
|
[source,text]
|
|
----
|
|
// web.xml
|
|
<session-config>
|
|
<session-timeout>60</session-timeout> <!-- Noncompliant -->
|
|
</session-config>
|
|
----
|
|
or
|
|
|
|
[source,text]
|
|
----
|
|
public class MySessionListener implements HttpSessionListener{
|
|
public void sessionCreated(HttpSessionEvent event){
|
|
event.getSession().setMaxInactiveInterval(30*60); // Noncompliant; 30 min > 15
|
|
}
|
|
}
|
|
----
|
|
|
|
|
|
== Compliant Solution
|
|
|
|
[source,text]
|
|
----
|
|
// web.xml
|
|
<session-config>
|
|
<session-timeout>15</session-timeout>
|
|
</session-config>
|
|
----
|
|
or
|
|
|
|
[source,text]
|
|
----
|
|
public class MySessionListener implements HttpSessionListener{
|
|
public void sessionCreated(HttpSessionEvent event){
|
|
event.getSession().setMaxInactiveInterval(15*60);
|
|
}
|
|
}
|
|
----
|
|
|
|
|
|
== See
|
|
|
|
* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures
|
|
* https://cwe.mitre.org/data/definitions/613[MITRE, CWE-613] - Insufficient Session Expiration
|
|
* https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html[OWASP, Session Management Cheat Sheet]
|
|
|