Major Customer undertaking penetration testing has observed no apparent Idle Session Timeout for Admin Portal users
Customer has advised they would like to see the following implemented:
| •Destroy the session on the server and force the browser to navigate away from any sensitive pages after an appropriate interval of idle time 15 to 20 Minutes. * Set session timeout to the minimal value possible depending on the context of the |
application. * Avoid "infinite" session timeout.
- Prefer declarative definition of the session timeout to apply a global timeout for all
application sessions. * Trace session creation/destruction in order to analyze the creation trend and try to
detect a normal number of session creations (application profiling phase in a attack).|
- is related to
-
THREESCALE-693 Valid login session length should be configurable
-
- Closed
-