UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The designer will ensure the application provides a capability to automatically terminate a session and log out after a system defined session idle time limit is exceeded.


Overview

Finding ID Version Rule ID IA Controls Severity
V-16802 APP3415 SV-17802r1_rule ECLO-1 Medium
Description
In the event a user does not log out of the application, the application should automatically terminate the session and log out; otherwise, subsequent users of a shared system could continue to use the previous user's session to the application.
STIG Date
Application Security and Development STIG 2014-04-03

Details

Check Text ( C-17798r1_chk )
Interview application representative to identify the length of time a user can be idle before the application will time out and terminate the session and require reauthentication.

1) If the application representative states that one or all of the limits are absent for one or more session types, it is a finding.

In many cases, session configuration parameters can be examined. If configuration parameters are embedded within the application they may not be available for review. Any configuration settings that are not configurable should be manually tested. The preferred method depends on the application environment.

Manually validate session limits by empirical testing (logon on multiple times and leaving sessions idle). In some cases, testing session limits is not feasible because they may be set too high to properly simulate them during the review.

Even if the application does not provide time limits for idle sessions, such limits may exist at the transport layer (e.g., TCP timeouts). Consider all possible ways in which limits might be enforced before documenting a finding.

2) If there is no evidence of a required session timeout, it is a finding.
Fix Text (F-17074r1_fix)
Implement session timeouts and automatic logout in the application.