Skip to Content (Press Enter)
Back to Ideas
5
Like
Follow Idea
Absolute Timeout setting within OutSystems
1565Views
2Comments
New
Architecture & Governance 

Hi Team,

It will be good if we can have Absolute timeout setting within our OutSystems Application or infrastructure.

What is Absolute timeout?

All sessions should implement an absolute timeout, regardless of session activity. This timeout defines the maximum amount of time a session can be active, closing and invalidating the session upon the defined absolute period since the given session was initially created by the web application. After invalidating the session, the user is forced to (re)authenticate again in the web application and establish a new session.

The absolute session limits the amount of time an attacker can use a hijacked session and impersonate the victim user.

Both the idle and absolute timeout values are highly dependent on how critical the web application and its data are. Common idle timeouts ranges are 2-5 minutes for high-value applications and 15-30 minutes for low risk applications. Absolute timeouts depend on how long a user usually uses the application. If the application is intended to be used by an office worker for a full day, an appropriate absolute timeout range could be between 4 and 8 hours.  

You can read more about this here in the below link:

https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html


30 Jun 2022
Copy link to comment

I do not see the real benefice of an Absolute Timeout. As I understand you propose to maintain the regular timeout system. The session will fall before the absolute Timeout is effective.


Regards

01 Jul 2022
Copy link to comment

Hi @Alberto Ferreira  ,

I am not sure whether you have checked the URL I have supplied in my explanation or not? but it's one of the recommendation from OWASP security and now most of the organization are using it.

And there is difference between session timeout and absolute timeout, as you said session timeout will occur before the absolute time, then you didn't understand it correctly, absolute timeout means if user is active not ideal? for longer period of time for example more than 4-6 hours continuously then it might be a security risk or more prone to security attack, you can read the details in URL I have mentioned in the post, previously I was also confused with the term session time out but now I am pretty clear on this that's why I have raised it as idea. 

I hope it helps.

Regards,

Manish Jawla

02 Jul 2022
Copy link to comment