Fluid Attacks logo
Contact Us
Young hacker smiling
Zero false positives

Expert intelligence + effective automation

Contact logo Contact Us

REQ.023 Close inactive users sessions

This documents contains the details of the security requirements related to web application session management and session variables. This requirement establishes the importance of closing inactive user sessions after a certain period inactivity in order to avoid security breaches.


The system must close a session if there is a period of inactivity on the user side, greater than or equal to 5 minutes.


A system that has authentication and login can keep it open for an indefinite period if there is no automatic control of session closure and the user does not close it manually.

Failure to control the closing times may allow an attacker to take advantage of unattended sessions and execute actions on behalf of the authenticated user without their authorization, altering confidential information associated with accounts, this risk can increase its criticality notably if the system allows the entry to administrators with high privileges, since it would affect the integrity, confidentiality and availability of the system, its users and the information it contains.


Set the session times: Depending on the business needs and/or the company’s session management policies, end times of unattended sessions must be set at a prudential time (recommended of 5 minutes).


  1. An employed or anonymous user takes control of an account unattended by another user without their authorization. [1] [2]

  2. In a web server, having several open sessions during a long period force the server to consume a lot of memory by deploying and maintaining session objects.


  • Layer: Resource Layer.

  • Asset: Session Management.

  • Scope: Adherence.

  • Phase: Operation.

  • Type of Control: Procedure.


  1. [PCI DSS 3.0] 6.5.10 Broken authentication and session management.

  2. Top 10 2013-A2-Broken Authentication and Session Management.

  3. HIPAA Security Rules 164.312(a)(2)(iii): Automatic Logoff: Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

  4. OWASP-ASVS v3.1-3.3. Verify that sessions timeout after a specified period of inactivity.

  5. OWASP-ASVS v3.1-3.4. Verify that sessions timeout after an administratively-configurable maximum time period regardless of activity (an absolute timeout).

  6. NIST 800-53 AC-12 Session termination: The information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect.

  7. NIST 800-53 AC-2 (2) The organization requires that users log out when [Assignment: organization-defined time-period of expected inactivity or description of when to log out].

  8. BSSIM9 SM2.6: Require security sign-off.

Service status - Terms of Use