Title

ColdFusion must set a maximum session timeout value. (Cat II impact)

Discussion

An attacker can take advantage of user sessions that are left open, thus bypassing the user authentication process. To thwart the vulnerability of open and unused user sessions, ColdFusion must be configured to close the sessions when a configured condition or trigger event is met. Such an event is user inactivity. ColdFusion offers an inactivity parameter that allows the setting systemwide for session timeout. ColdFusion also allows a developer to override the default timeout setting and set a new timeout. A maximum setting is provided to control how large a developer can set the timeout.

Check Content

Validate the Session Variable Timeout configuration. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables. 2. Under the "Maximum Timeout" section, locate the setting for "Session Variables". If the timeout value for Session Variables is set to greater than 1 hour, this is a finding.

Fix Text

Configure the Session Variable Timeout configuration. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables. 2. Under the "Maximum Timeout" section, locate the setting for "Session Variables". 3. Set the "Session Variables" to "1" hour or fewer. 4. Select "Submit Changes".

Additional Identifiers

Rule ID: SV-279073r1171560_rule

Vulnerability ID: V-279073

Group Title: SRG-APP-000295-AS-000263

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.