Title

The Tomcat server must automatically terminate a user session after organization-defined time period. (Cat II impact)

Discussion

An attacker can take advantage of user sessions that are left open, thus bypassing the user authentication process. To thwart the vulnerability of open and unused user sessions, the application server must be configured to close the sessions when a configured condition or trigger event is met. Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use.

Check Content

Review the Tomcat server web.xml file and determine if an organization defined timeout has been implemented. The <session-timeout> tag should exist and contain a number of minutes defined by the organization. The following is an example: <session-config> <session-timeout>30</session-timeout> <!-- 30 minutes --> </session-config> If the <session-timeout> tag does not exist or does not match the organization defined timeout, this is a finding.

Fix Text

Configure the application server to terminate user sessions on defined conditions or trigger events.

Additional Identifiers

Rule ID: SV-71673r2_rule

Vulnerability ID: V-57401

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.