Details
-
Bug
-
Resolution: Not an issue
-
Neutral
-
None
-
None
-
None
-
None
Description
Session Timeout not implemented:
Description
The application login session did not expire after a period of inactivity or idle time, which means that as
long as the user's web browser remains open the session will still be valid.
Details
The application did not have a session timeout mechanism implemented in the main
functionality. This could leave a user’s session exposed to abuse if unattended.
Recommendations
After a set period of inactivity the session information should be destroyed and the user logged out.
Typically, the period of inactivity is set to twenty minutes for many applications, however, this should be
set according to security policy; the effect of application usability may also be a consideration or trade-off.
Checklists
Acceptance criteria