Session timeout for unauthenticated users
Question
Application Type
Reactive

I have a request from my security department to place a session timeout for our website. The website does not require login and customers have to submit certain information and stored to a database for back office person to access and action. Based on Penetration Testing "An attacker can reuse the same session cookie days after the session was initiated. This puts the user at risk if their cookies get stolen. An attacker could acquire account information by stealing the session cookie by performing another attack such as a cross site scripting, phishing or social engineering". The recommendation is:-

-The server should perform proper checks on the session state, disallowing an attacker to replay previously destroyed session identifiers.

-All sessions should implement an idle or inactivity timeout. If not feasible, implement an absolute timeout.

Is this possible? Any advice will be greatly appreciated.

There is a component in Forge that can help you with this:


https://www.outsystems.com/forge/component-overview/1365/browser-session-timeout

Forgive me as I am new to Outsystems...the component is for Traditional Web while my project is Reactive. Will it still be compatible? 

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.