Application sessions should have a maximum lifetime, regardless of the user activity (absolute timeout).
This requirement is verified in following services
- NIST 800-53-AC-12. Session termination
- OWASP TOP 10-A7. Identification and authentication failures
- PA-DSS-5_2_10. Broken authentication and session management
- CMMC-IA_L2-3_5_6. Identifier handling
- HITRUST CSF-01_u. Limitation of connection time
- ISA/IEC 62443-CR-3_1-RE_1. Communication authentication
- WASC-W_47. Insufficient session expiration
- OWASP Top 10 Privacy Risks-P8. Missing or insufficient session expiration
- OWASP SCP-4. Session management
- CWE™-613. Insufficient session expiration
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.