The designer will ensure the application provides a capability to automatically terminate a session and log out after a system defined session idle time limit is exceeded.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-16802 | APP3415 | SV-17802r1_rule | ECLO-1 | Medium |
| Description |
|---|
| In the event a user does not log out of the application, the application should automatically terminate the session and log out; otherwise, subsequent users of a shared system could continue to use the previous user's session to the application. |
| STIG | Date |
|---|---|
| Application Security and Development Checklist | 2014-12-22 |
Details
| Check Text ( C-17798r1_chk ) |
|---|
| Interview application representative to identify the length of time a user can be idle before the application will time out and terminate the session and require reauthentication. 1) If the application representative states that one or all of the limits are absent for one or more session types, it is a finding. In many cases, session configuration parameters can be examined. If configuration parameters are embedded within the application they may not be available for review. Any configuration settings that are not configurable should be manually tested. The preferred method depends on the application environment. Manually validate session limits by empirical testing (logon on multiple times and leaving sessions idle). In some cases, testing session limits is not feasible because they may be set too high to properly simulate them during the review. Even if the application does not provide time limits for idle sessions, such limits may exist at the transport layer (e.g., TCP timeouts). Consider all possible ways in which limits might be enforced before documenting a finding. 2) If there is no evidence of a required session timeout, it is a finding. |
| Fix Text (F-17074r1_fix) |
|---|
| Implement session timeouts and automatic logout in the application. |