Kingdom: Environment

This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms.

J2EE Misconfiguration: Excessive Session Timeout

Java/JSP

Abstract

An overly long session timeout gives attackers more time to potentially compromise user accounts.

Explanation

The longer a session stays open, the larger the window of opportunity an attacker has to compromise user accounts. While a session remains active, an attacker may be able to brute-force a user's password, crack a user's wireless encryption key, or commandeer a session from an open browser. Longer session timeouts can also prevent memory from being released and eventually result in a denial of service if a sufficiently large number of sessions are created.

Example 1: If the session timeout is zero or less than zero, the session never expires. The following example shows a session timeout set to -1, which will cause the session to remain active indefinitely.


<session-config>
    <session-timeout>-1</session-timeout>
</session-config>

The <session-timeout> tag defines the default session timeout interval for all sessions in the web application. If the <session-timeout> tag is missing, it is left to the container to set the default timeout.

References

[1] Sun Microsystems, Inc. Java Servlet Specification 2.4

[2] Standards Mapping - Common Weakness Enumeration CWE ID 613

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000879, CCI-002361, CCI-004190

[4] Standards Mapping - FIPS200 IA

[5] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-12 Session Termination (P2), MA-4 Nonlocal Maintenance (P2)

[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-12 Session Termination, MA-4 Nonlocal Maintenance

[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.8.1 Single or Multi Factor One Time Verifier Requirements (L1 L2 L3), 2.8.6 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.3.1 Session Logout and Timeout Requirements (L1 L2 L3), 3.3.2 Session Logout and Timeout Requirements (L1 L2 L3), 3.3.4 Session Logout and Timeout Requirements (L2 L3), 3.6.1 Re-authentication from a Federation or Assertion (L3), 3.6.2 Re-authentication from a Federation or Assertion (L3)

[10] Standards Mapping - OWASP Mobile 2014 M9 Improper Session Handling

[11] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management

[12] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management

[13] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management

[14] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management

[15] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication

[16] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3, Requirement 8.5.15

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7, Requirement 8.5.15

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8, Requirement 8.5.15

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10, Requirement 8.1.8

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10, Requirement 8.1.8

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10, Requirement 8.1.8

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10, Requirement 8.1.8

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 8.2.8

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 8.2.8

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls, Control Objective C.2.3.2 - Web Software Access Controls

[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3415 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3415 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3415 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3415 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3415 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3415 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3415 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[52] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Session Expiration (WASC-47)

[53] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Session Expiration

desc.config.java.j2ee_misconfiguration_excessive_session_timeout