The system must close a session if there is a period of inactivity on the user side greater than or equal to 5 minutes.
A system can leave a session indefinitely active if it does not have an automatic termination mechanism based on timeout and the user does not close it manually.
Failure to control timeouts may allow an attacker to take advantage of unattended sessions and execute actions on behalf of the authenticated user without their authorization. This risk can notably increase its criticality if this is also the behavior of high-privileged administrator accounts, since it would affect the integrity, confidentiality and availability of the system, its users and the information it contains.
Set a session timeout: Depending on the business needs and/or the company’s session management policies, an timeout must be set for unattended or idle sessions (5 minutes recommended).
An employee or anonymous user takes control of an unattended device with an active session without the user’s authorization.
In a web server, having several open sessions during a long period forces the server to allocate a considerable amount of memory for session objects.
Layer: Resource Layer.
Asset: Session Management.
Type of Control: Procedure.
BSIMM9 SM2.6: Require security sign-off.
CWE-404: Improper Resource Shutdown or Release According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
CWE-613: Insufficient Session Expiration. Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.
HIPAA Security Rules 164.312(a)(2)(iii): Automatic Logoff: Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
NIST 800-53 AC-12 Session termination: The information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect.
NIST 800-53 AC-2 (2) The organization requires that users log out when [Assignment: organization-defined time-period of expected inactivity or description of when to log out].
OWASP Top 10 A2:2017-Broken Authentication. Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.
OWASP-ASVS v4.0.1 V3.3 Session Logout and Timeout Requirements.(3.3.2) If authenticators permit users to remain logged in, verify that re-authentication occurs periodically both when actively used or after an idle period.
OWASP-ASVS v4.0.1 V3.6 Re-authentication from a Federation or Assertion.(3.6.1) Verify that relying parties specify the maximum authentication time to CSPs and that CSPs re-authenticate the subscriber if they haven’t used a session within that period.