# SESSION TIMEOUT

Feature Value
Type Detection
Risk OWASP A2
Covered by Agent

Session timeout defines the action window time for a user. Thus, this window also represents the time available in which an attacker can try to steal and use an existing user session. Therefore, the longer the session timeouts, the easier it is for cross-user web attacks such as Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) to be successful.

Session timeout value should not be greater than 30 minutes. Applications that handle sensitive data tend to have timeouts that are not too long, usually between 15 and 30 minutes.

## How to solve it

Best practices:

• Set session timeout to the minimum value possible depending on the context of the application
• Avoid "infinite" session timeout
• Trace session creation/destroy in order to analyse creation trend and try to detect abnormal session number creation (application profiling phase in an attack)