Description

The session-timeout configuration element from WEB-INF/web.xml defines the default session timeout interval for all sessions created in this web application.

The current configuration specified a session timeout value greater than 30 minutes.

Remediation

Decrease the value for session-timeout in WEB-INF/web.xml like in this example: 

<session-config>
<session-timeout>30</session-timeout>
</session-config>

References

Session Timeout

Related Vulnerabilities

GraphQL Circular-Query via Introspection Allowed: Potential DoS Vulnerability

Insecure Transportation Security Protocol Supported (SSLv3)

Apache stronghold-status enabled

Access-Control-Allow-Origin header with wildcard (*) value

CodeIgniter weak encryption key

Severity

Medium

Classification

CWE-16 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Configuration