Session Timeout - Revision history

Imifos: Moved page into the right category. See Java space page for me details. Content has not been reviewed in this edit.

2017-11-10T21:53:31Z

Moved page into the right category. See Java space page for me details. Content has not been reviewed in this edit.

Owen Pendlebury: fixed spelling mistake ""stole""

2013-08-20T15:29:56Z

fixed spelling mistake ""stole""

Mark Law at 23:58, 6 November 2012

2012-11-06T23:58:01Z

Dominique RIGHETTO: Page creation

2012-01-22T17:12:38Z

Page creation

New page

==Status==
Released on (mm/dd/yyyy) : 01/22/2012

==Description of the session timeout==
Session timeout represents the event occuring when a user do not perform any action on a web site during a interval (defined by web server). The event, on server side, change the status of the user session to 'invalid' (ie. "not used anymore") and instruct the web server to destroy it (deleting all data contained into it).

==Define the session timeout==
On JEE web application , there 2 ways to define session timeout,
* Declaratively in web deployment descriptor (file "web.xml") : This definition is applied to all session created for the application.
* Programmatically on session object : This definition apply only on current session.

'''Timeout defined declaratively'''
<pre>
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
id="WebApp_ID" version="3.0">

...


<session-config>
<session-timeout>15</session-timeout>
</session-config>

...

</web-app>
</pre>

'''Timeout defined Programmatically'''
<pre>
package org.owasp.javaproject.sessiontimeout;

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

/**
* Code sample showing how to access to session timeout and act on it.
*/
@SuppressWarnings("serial")
@WebServlet("/SessionTimeout")
public class SessionTimeoutCodeSample extends HttpServlet {

/**
* {@inheritDoc}
*
* @see javax.servlet.http.HttpServlet#doGet(javax.servlet.http.HttpServletRequest,
* javax.servlet.http.HttpServletResponse)
*/
@SuppressWarnings("boxing")
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
// Get reference on session object
HttpSession session = req.getSession();

// Display session timeout value defined in "web.xml"
// Value here is specified in seconds...
System.out.printf("Session timeout defined at application level : %s\n", session.getMaxInactiveInterval());

// Change session timeout for this session and display new timeout value
// Value here is defined in seconds...
session.setMaxInactiveInterval(60);
System.out.printf("Session timeout defined at code level : %s\n", session.getMaxInactiveInterval());
}

}
</pre>

<pre>
Session timeout defined at application level : 900
Session timeout defined at code level : 60
</pre>

==Impact of the session timeout on security and best practices==
Session timeout define action window time for a user thus this window represents, in the same time, the delay in which an attacker can try to stole and use a existing user session...

For this, it's best practices to :
* Set session timeout to the minimal value possible depending on the context of the application.
* Avoid "infinite" session timeout.
* Prefer declarative definition of the session timeout in order to apply global timeout for all applicatin session.
* Trace session creation/destroy in order to analyse creation trend and try to detect anormal session number creation (application profiling phase in a attack).

[[Category:OWASP Java Project]]

← Older revision		Revision as of 21:53, 10 November 2017
Line 91:		Line 91:
	* Trace session creation/destroy in order to analyse creation trend and try to detect anormal session number creation (application profiling phase in a attack).		* Trace session creation/destroy in order to analyse creation trend and try to detect anormal session number creation (application profiling phase in a attack).

−	[[Category:~~OWASP~~ Java ~~Project~~]]	+	[[Category:Java]]

@@ Line 83: / Line 83: @@
 ==Impact of the session timeout on security and best practices==
-Session timeout define action window time for a user thus this window represents, in the same time, the delay in which an attacker can try to stole and use a existing user session...
+Session timeout define action window time for a user thus this window represents, in the same time, the delay in which an attacker can try to steal and use a existing user session...
 For this, it's best practices to :

@@ Line 88: / Line 88: @@
 * Set session timeout to the minimal value possible depending on the context of the application.
 * Avoid "infinite" session timeout.
-* Prefer declarative definition of the session timeout in order to apply global timeout for all applicatin session.
+* Prefer declarative definition of the session timeout in order to apply global timeout for all application sessions.
 * Trace session creation/destroy in order to analyse creation trend and try to detect anormal session number creation (application profiling phase in a attack).
 [[Category:OWASP Java Project]]