This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Periodic Table of Vulnerabilities - Insufficient Session Expiration"
(→Browser / Standards Solution) |
James Landis (talk | contribs) (Removed detailed description (references are intended to be used if the reader needs more information about the vulnerability) and simplified root cause description. Added requirement for working logout button to generic framework solution.) |
||
Line 2: | Line 2: | ||
== Insufficient Session Expiration == | == Insufficient Session Expiration == | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
=== Root Cause Summary === | === Root Cause Summary === | ||
− | + | The application either does not implement an inactivity timeout or an absolute timeout, or the timeouts are too long to provide sufficient risk mitigation. The application does not provide a logout feature, or the feature does not actively terminate the user's session. | |
=== Browser / Standards Solution === | === Browser / Standards Solution === | ||
Line 21: | Line 14: | ||
=== Generic Framework Solution === | === Generic Framework Solution === | ||
− | + | The framework should provide a configurable option for setting the inactivity and absolute timeouts for sessions. Timeouts should have secure defaults (e.g. 20 minutes of inactivity, 8 hours absolute lifetime). The framework should provide a configuration option to automatically save session state and allow the session to continue if the user successfully reauthenticates after the session times out. | |
+ | |||
+ | The application should provide the user the option to log out and destroy the session immediately without waiting for either timer to expire. | ||
=== Custom Framework Solution === | === Custom Framework Solution === | ||
Line 27: | Line 22: | ||
=== Custom Code Solution === | === Custom Code Solution === | ||
− | + | None | |
=== Discussion / Controversy === | === Discussion / Controversy === |
Revision as of 11:53, 22 July 2013
Return to Periodic Table Working View
Insufficient Session Expiration
Root Cause Summary
The application either does not implement an inactivity timeout or an absolute timeout, or the timeouts are too long to provide sufficient risk mitigation. The application does not provide a logout feature, or the feature does not actively terminate the user's session.
Browser / Standards Solution
Currently, session management is normally implemented with cookies and web frameworks that are custom to each solution. There is work underway to define a new standard for instructing the browser about session timeouts and how to handle them.
Perimeter Solution
None
Generic Framework Solution
The framework should provide a configurable option for setting the inactivity and absolute timeouts for sessions. Timeouts should have secure defaults (e.g. 20 minutes of inactivity, 8 hours absolute lifetime). The framework should provide a configuration option to automatically save session state and allow the session to continue if the user successfully reauthenticates after the session times out.
The application should provide the user the option to log out and destroy the session immediately without waiting for either timer to expire.
Custom Framework Solution
None
Custom Code Solution
None
Discussion / Controversy
Although most web frameworks support idle timeout and few web frameworks support absolute timeout, there are cases where both of these conjectures are not true. Custom session handling mechanisms require much of this logic to be implemented "by hand".