Hello!
As default, OS enables a session period of 12 hours.
We want to disabled this behavior and the enable only sessions of 30 minutes.
For that, we thought to use the "session timeout warning" asset.
When we reviewed the asset, it seems that all the session variables are stored on the local storage and therefore can be configured and edited by malicious users.
Is this not a vulnerability?
What we can improve on the asset to be more secure?
Thanks,
Maayan
Hi Maayan,
As stated in here, "Note that the 12-hour session timeout can't be configured. "
This at the moment can't be therefore altered. The component above serves for a different purpose in reminding users of the upcoming timeout, and therefore should not be introducing any security risk even while getting amended by malicious user. In other words, things they can changed are the pop up time and message that are separately stored in client side, not the session timeout itself that is stored in the server.
Cheers,
Hillman