December 2012
Intermediate to advanced
552 pages
13h 16m
English
Content preview from Web Application Defender's Cookbook
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Recipe 8-3: Enforcing Session Timeouts
This recipe shows you how to utilize session timeouts to limit the length of active sessions.
Ingredients
- OWASP ModSecurity Core Rule Set (CRS)
- modsecurity_crs_40_appsensor_detection_point_2.3_session_exception.conf
- ModSecurity
- RESPONSE_HEADERS:Set-Cookie variable
- REQUEST_HEADERS:Cookie variable
- setsid action
- setvar action
- expirevar action
How long should an application session be valid? Five minutes? An hour? Forever? The answer depends greatly on your unique application and the processing that is required. The Open Web Application Security Project (OWASP) suggests the following expiration ranges in the Session Management Cheat Sheet1 document:
- Between 2-5 minutes for high-value applications
- Between 15-30 minutes for low-risk applications
Although the expiration ranges may differ, it is recommended that you set some type of session timeout. This will minimize an attacker’s window of opportunity for session hijacking if he is successful in obtaining your current SessionID. An application session timeout therefore is important, because it forces a user to reauthenticate after a period of time. This recipe discusses two types of session timeouts: session inactivity and total session duration.
Session Inactivity Timeout
Session inactivity occurs when a user does not interact with the application for a period of time. Consider the following scenario:
1. A user authenticates to the application.
2. The application has a session ...