SESSION TIMEOUT

Feature Value
Type Detection
Risk OWASP A2
Covered by Agent

Session timeout defines the action window time for a user. Thus, this window also represents the time available in which an attacker can try to steal and use an existing user session. Therefore, the longer the session timeouts, the easier it is for cross-user web attacks such as Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) to be successful.

Session timeout value should not be greater than 30 minutes. Applications that handle sensitive data tend to have timeouts that are not too long, usually between 15 and 30 minutes.

More information

How to solve it

Best practices: