ColdFusion must set a maximum session time-out value.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-62357	CF11-01-000011	SV-76847r1_rule		Medium

Description
An attacker can take advantage of user sessions that are left open, thus bypassing the user authentication process. To thwart the vulnerability of open and unused user sessions, the application server must be configured to close the sessions when a configured condition or trigger event is met. Such an event is user inactivity. ColdFusion offers an inactivity parameter that allows the setting system-wide for session timeout. ColdFusion also allows a developer to override the default timeout setting and set a new timeout. To control how large a developer can set the timeout to, a maximum setting is provided.

Description

An attacker can take advantage of user sessions that are left open, thus bypassing the user authentication process. To thwart the vulnerability of open and unused user sessions, the application server must be configured to close the sessions when a configured condition or trigger event is met. Such an event is user inactivity. ColdFusion offers an inactivity parameter that allows the setting system-wide for session timeout. ColdFusion also allows a developer to override the default timeout setting and set a new timeout. To control how large a developer can set the timeout to, a maximum setting is provided.

STIG	Date
Adobe ColdFusion 11 Security Technical Implementation Guide	2017-06-15

Details

Check Text ( C-63161r1_chk )
Within the Administrator Console, navigate to the "Memory Variables" page under the "Server Settings" menu. If the "Session Variables" setting under the "Maximum Timeout" section is set greater than "1" hour, this is a finding.

Fix Text (F-68277r1_fix)
Navigate to the "Memory Variables" page under the "Server Settings" menu. Set the "Session Variables" setting under the "Maximum Timeout" section to "1" hour or less and select the "Submit Changes" button.