I have a request from my security department to place a session timeout for our website. The website does not require login and customers have to submit certain information and stored to a database for back office person to access and action. Based on Penetration Testing "An attacker can reuse the same session cookie days after the session was initiated. This puts the user at risk if their cookies get stolen. An attacker could acquire account information by stealing the session cookie by performing another attack such as a cross site scripting, phishing or social engineering". The recommendation is:-
-The server should perform proper checks on the session state, disallowing an attacker to replay previously destroyed session identifiers.
-All sessions should implement an idle or inactivity timeout. If not feasible, implement an absolute timeout.
Is this possible? Any advice will be greatly appreciated.
You can try this:
https://www.outsystems.com/forums/discussion/49259/clear-session-for-anonymous-user/
There is a component in Forge that can help you with this:
https://www.outsystems.com/forge/component-overview/1365/browser-session-timeout
that forge item is also in my reply.
Forgive me as I am new to Outsystems...the component is for Traditional Web while my project is Reactive. Will it still be compatible?
We should have seen this, so the error was on our part.
Perhaps this can help you:
https://www.outsystems.com/forums/discussion/59631/session-timeout-in-a-reactive-app/