UCF STIG Viewer Logo

ColdFusion must automatically terminate a user session after user inactivity.


Overview

Finding ID Version Rule ID IA Controls Severity
V-62355 CF11-01-000010 SV-76845r1_rule Medium
Description
An attacker can take advantage of user sessions that are left open, thus bypassing the user authentication process. To thwart the vulnerability of open and unused user sessions, the application server must be configured to close the sessions when a configured condition or trigger event is met. Such an event is user inactivity. ColdFusion offers an inactivity parameter that allows the setting of a system-wide timeout for sessions. If this parameter is set too large, the usefulness of the parameter is lost. Care must be taken to not allow sessions to be open longer than needed, but also not set so short that users are unable to use the hosted applications.
STIG Date
Adobe ColdFusion 11 Security Technical Implementation Guide 2017-12-31

Details

Check Text ( C-63159r1_chk )
Within the Administrator Console, navigate to the "Memory Variables" page under the "Server Settings" menu.

If the "Session Variables" setting under the "Default Timeout" section is set greater than 15 minutes, this is a finding.
Fix Text (F-68275r1_fix)
Navigate to the "Memory Variables" page under the "Server Settings" menu. Set the "Session Variables" setting under the "Default Timeout" section to 15 minutes or less and select the "Submit Changes" button.