UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

HTTP session timeout must be configured.


Overview

Finding ID Version Rule ID IA Controls Severity
V-250340 IBMW-LS-000720 SV-250340r795073_rule Medium
Description
An attacker can take advantage of user sessions that are left open, thus bypassing the user authentication process. To thwart the vulnerability of open and unused user sessions, the application server must be configured to close the sessions when a configured condition or trigger event is met. Session termination terminates all processes associated with a user’s logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use. Satisfies: SRG-APP-000295-AS-000263, SRG-APP-000389-AS-000253
STIG Date
IBM WebSphere Liberty Server Security Technical Implementation Guide 2021-08-30

Details

Check Text ( C-53775r795071_chk )
As a user with access to the server xml file, review the contents and verify the httpSession time out setting is configured for 10 minutes.

If the ${server.config.dir}/server.xml does not define the timeout setting as 10 minutes, this is a finding.

Fix Text (F-53729r795072_fix)
The ${server.config.dir}/server.xml file must be configured to update the invalidationTimeout attribute on the httpSession element to set the session timeout value in hours (h) or minutes (m). The server.xml file must define the following:



By default, httpSession invalidationTimeout is set to 30m.