This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Periodic Table of Vulnerabilities - Insufficient Session Expiration"

From OWASP
Jump to: navigation, search
(Browser / Standards Solution)
(Removed detailed description (references are intended to be used if the reader needs more information about the vulnerability) and simplified root cause description. Added requirement for working logout button to generic framework solution.)
Line 2: Line 2:
  
 
== Insufficient Session Expiration ==
 
== Insufficient Session Expiration ==
 
In order to minimize the time period an attacker can launch attacks over active sessions and hijack them, it is mandatory to set expiration timeouts for every session, establishing the amount of time a session will remain active. Insufficient session expiration by the web application increases the exposure of other session-based attacks, as for the attacker to be able to reuse a valid session ID and hijack the associated session, it must still be active.
 
 
The shorter the session interval is, the lesser the time an attacker has to use the valid session ID. The session expiration timeout values must be set accordingly with the purpose and nature of the web application, and balance security and usability, so that the user can comfortably complete the operations within the web application without his session frequently expiring. Both the idle and absolute timeout values are highly dependent on the criticality of the web application and its data. Common idle timeouts ranges are 2-5 minutes for high-value applications and 15- 30 minutes for low risk applications.
 
When a session expires, the web application must take active actions to invalidate the session on both sides, client and server. The latter is the most relevant and mandatory from a security perspective.
 
 
For most session exchange mechanisms, client side actions to invalidate the session ID are based on clearing out the token value. For example, to invalidate a cookie it is recommended to provide an empty (or invalid) value for the session ID, and set the “Expires” (or “Max-Age”) attribute to a date from the past (in case a persistent cookie is being used):
 
  
 
=== Root Cause Summary ===
 
=== Root Cause Summary ===
  
Insufficient Session Expiration normally occurs when a programmer does not configure idle timeout in the web framework, or configures the idle timeout to be to long in a web framework. Insufficient Session Expiration can also occur when logout functionality is not implemented or not implemented correctly. Absolute timeout based insufficient session expiration normally occurs when custom absolute timeout functionality is not implemented.
+
The application either does not implement an inactivity timeout or an absolute timeout, or the timeouts are too long to provide sufficient risk mitigation. The application does not provide a logout feature, or the feature does not actively terminate the user's session.
  
 
=== Browser / Standards Solution ===
 
=== Browser / Standards Solution ===
Line 21: Line 14:
  
 
=== Generic Framework Solution ===
 
=== Generic Framework Solution ===
Most web application frameworks provide configuration settings for IDLE timeout.  
+
The framework should provide a configurable option for setting the inactivity and absolute timeouts for sessions. Timeouts should have secure defaults (e.g. 20 minutes of inactivity, 8 hours absolute lifetime). The framework should provide a configuration option to automatically save session state and allow the session to continue if the user successfully reauthenticates after the session times out.
 +
 
 +
The application should provide the user the option to log out and destroy the session immediately without waiting for either timer to expire.
  
 
=== Custom Framework Solution ===
 
=== Custom Framework Solution ===
Line 27: Line 22:
  
 
=== Custom Code Solution ===
 
=== Custom Code Solution ===
Absolute timeout needs to be implemented in a custom way in most web frameworks. The essential logic states that the session must immediately expire when the current time is greater than the absolute timeout length plus the login time.
+
None
  
 
=== Discussion / Controversy ===
 
=== Discussion / Controversy ===

Revision as of 11:53, 22 July 2013

Return to Periodic Table Working View

Insufficient Session Expiration

Root Cause Summary

The application either does not implement an inactivity timeout or an absolute timeout, or the timeouts are too long to provide sufficient risk mitigation. The application does not provide a logout feature, or the feature does not actively terminate the user's session.

Browser / Standards Solution

Currently, session management is normally implemented with cookies and web frameworks that are custom to each solution. There is work underway to define a new standard for instructing the browser about session timeouts and how to handle them.

Perimeter Solution

None

Generic Framework Solution

The framework should provide a configurable option for setting the inactivity and absolute timeouts for sessions. Timeouts should have secure defaults (e.g. 20 minutes of inactivity, 8 hours absolute lifetime). The framework should provide a configuration option to automatically save session state and allow the session to continue if the user successfully reauthenticates after the session times out.

The application should provide the user the option to log out and destroy the session immediately without waiting for either timer to expire.

Custom Framework Solution

None

Custom Code Solution

None

Discussion / Controversy

Although most web frameworks support idle timeout and few web frameworks support absolute timeout, there are cases where both of these conjectures are not true. Custom session handling mechanisms require much of this logic to be implemented "by hand".

References

Session Management Cheat Sheet