Recipe 8-3: Enforcing Session Timeouts
This recipe shows you how to utilize session timeouts to limit the length of active sessions.
Ingredients
  • OWASP ModSecurity Core Rule Set (CRS)
    • modsecurity_crs_40_appsensor_detection_point_2.3_session_exception.conf
  • ModSecurity
    • RESPONSE_HEADERS:Set-Cookie variable
    • REQUEST_HEADERS:Cookie variable
    • setsid action
    • setvar action
    • expirevar action
How long should an application session be valid? Five minutes? An hour? Forever? The answer depends greatly on your unique application and the processing that is required. The Open Web Application Security Project (OWASP) suggests the following expiration ranges in the Session Management Cheat Sheet1 document:
  • Between 2-5 minutes for high-value applications
  • Between 15-30 minutes for low-risk applications
Although the expiration ranges may differ, it is recommended that you set some type of session timeout. This will minimize an attacker’s window of opportunity for session hijacking if he is successful in obtaining your current SessionID. An application session timeout therefore is important, because it forces a user to reauthenticate after a period of time. This recipe discusses two types of session timeouts: session inactivity and total session duration.
Session Inactivity Timeout
Session inactivity occurs when a user does not interact with the application for a period of time. Consider the following scenario:
1. A user authenticates to the application.
2. The application has a session ...

Get Web Application Defender's Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.