Overly long session timeout in servlet configuration
Description
The session-timeout element in the WEB-INF/web.xml configuration file controls how long user sessions remain active without user interaction. This vulnerability occurs when the session timeout is configured to exceed 30 minutes, which increases the window of opportunity for attackers to exploit active sessions. Shorter timeout values reduce security risks by limiting the lifespan of session identifiers.
Remediation
Configure the session-timeout value in WEB-INF/web.xml to 30 minutes or less based on your application's security requirements and user activity patterns. For most applications, a timeout between 15-30 minutes provides a good balance between security and user experience. Edit the web.xml file as follows:
<session-config> <session-timeout>30</session-timeout> <!-- Value is in minutes --> </session-config>
For high-security applications handling sensitive data (financial, healthcare, or administrative systems), consider reducing the timeout to 15 minutes or less. After making this change, restart your application server to ensure the new configuration takes effect. Additionally, implement automatic session renewal for active users to prevent unexpected logouts during legitimate use.