369 – Set a maximum lifetime in sessions

Summary

Application sessions should have a maximum lifetime, regardless of the user activity (absolute timeout).

Description

Implementing an absolute timeout for application sessions is a security control applied to mitigate the risks associated with session hijacking or unauthorized access. It sets a limit on how long a user's session can persist on the system, regardless of their level of activity within the application. It helps to ensure that even if a user forgets to log out there is a maximum duration for which an attacker could exploit the session.

Supported In

Advanced: True

References

• NIST80053-AC-12. Session termination
• OWASP10-A7. Identification and authentication failures
• PADSS-5_2_10. Broken authentication and session management
• CMMC-IA_L2-3_5_6. Identifier handling
• HITRUST-01_u. Limitation of connection time
• IEC62443-CR-3_1-RE_1. Communication authentication
• WASC-W_47. Insufficient session expiration
• OWASPRISKS-P8. Missing or insufficient session expiration
• OWASPSCP-4. Session management
• CWE-613. Insufficient session expiration
• FISMA-AC-12. Session termination

Weaknesses

• 322 – Insecurely generated token - Lifespan

Last updated

2024/01/18