Description

The session-timeout configuration element from WEB-INF/web.xml defines the default session timeout interval for all sessions created in this web application.

The current configuration specified a session timeout value greater than 30 minutes.

Remediation

Decrease the value for session-timeout in WEB-INF/web.xml like in this example: 

<session-config>
<session-timeout>30</session-timeout>
</session-config>

References

Session Timeout

Related Vulnerabilities

ViewState MAC Disabled

Internet Information Server returns IP address in HTTP header (Content-Location)

Laravel Terminal open

ASP.NET: Failure To Require SSL For Authentication Cookies

JAAS authentication bypass

Severity

Medium

Classification

CWE-16 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Tags

Configuration