Need

Enforce secure session expiration time

Context

Description

import UIKit

class SessionManager {
    static let shared = SessionManager()
    var timer: Timer?
    var sessionDuration: TimeInterval = 60 * 60 // 1 hour

...

In the above Swift code, we have a `SessionManager` singleton class that manages the user session. It uses a `Timer` to determine when to end the session. The `sessionDuration` is set to 60 minutes. The `startSession` function starts a new session. If there is an existing session, it ends it first. It then starts a new Timer that ends the session after `sessionDuration` has passed. The `endSession` function is called when the Timer fires and it is where the session should be invalidated. The `stopSession` function ends the current session by invalidating the Timer. The vulnerability here is that the session duration is set to 60 minutes. This means that if a user becomes inactive, their session will still remain active for up to an hour. This can be a security risk as an attacker could potentially use this time to hijack the user's session.

import UIKit

class SessionManager {
    static let shared = SessionManager()
    var timer: Timer?
    var sessionDuration: TimeInterval = 300 // 5 minutes

...

The updated code now sets the session duration to 5 minutes (300 seconds) instead of 1 hour. This change enforces the session to expire after 5 minutes of inactivity. The `startSession` method has been updated to reset the session timer whenever the application becomes active. This is achieved by adding an observer for the `UIApplication.didBecomeActiveNotification` notification. When this notification is received, the `resetSession` method is called, which stops the current session and starts a new one. The `endSession` method is called when the timer expires. This method should be updated to invalidate the session as per your application's requirements. The `stopSession` method is used to invalidate the timer. This method is called when the session ends or when a new session is started. By implementing these changes, the session will now expire after 5 minutes of inactivity, thus fixing the vulnerability.

References