The system must terminate a session if there is a period of inactivity on the user side of 5 minutes or more.
A system can leave a session indefinitely active if it does not have an automatic termination mechanism based on timeout and the user does not close it manually.
Failure to control timeouts may allow an attacker to take advantage of unattended sessions and execute actions on behalf of the authenticated user without their authorization. This risk can notably increase its criticality if this is also the behavior of high-privileged administrator accounts, since it would affect the integrity, confidentiality and availability of the system, its users and the information it contains.
Set a session timeout: Depending on the business needs and/or the company’s session management policies, a timeout must be set for unattended or idle sessions (5 minutes recommended).
An employee or anonymous user takes control of an unattended device with an active session without the user’s authorization.
In a web server, having several open sessions during a long period forces the server to allocate a considerable amount of memory for session objects.
Layer: Resource layer
Asset: Session management
Type of control: Procedure
CAPEC-227: Sustained Client Engagement. An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible.
CWE-404: Improper Resource Shutdown or Release According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
CWE-613: Insufficient Session Expiration. Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.
HIPAA Security Rules 164.312(a)(2)(iii): Automatic Logoff: Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
NIST 800-53 AC-12 Session termination: The information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect.
NIST 800-53 AC-2 (2) The organization requires that users log out when [Assignment: organization-defined time-period of expected inactivity or description of when to log out].
OWASP Top 10 A2:2017-Broken Authentication. Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently.
OWASP-ASVS v4.0.1 V3.3 Session Logout and Timeout Requirements.(3.3.2) If authenticators permit users to remain logged in, verify that re-authentication occurs periodically both when actively used or after an idle period.
OWASP-ASVS v4.0.1 V3.6 Re-authentication from a Federation or Assertion.(3.6.1) Verify that relying parties specify the maximum authentication time to CSPs and that CSPs re-authenticate the subscriber if they haven’t used a session within that period.
OWASP-ASVS v4.0.1 V3.6 Re-authentication from a Federation or Assertion.(3.6.2) Verify that CSPs inform relying parties of the last authentication event, to allow RPs to determine if they need to re-authenticate the user.
PCI DSS v3.2.1 - Requirement 6.5.10 Address common coding vulnerabilities in software-development processes such as broken authentication and session management.
PCI DSS v3.2.1 - Requirement 8.1.8 If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session.