Avoid having long timeout for HttpCookie (> 5 mn)

Rule Definition
Enables to attacker to comprise the user accounts if the session time is set to more than required (5mn).

Remediation
Set the time out to less than 5 min or less.

Violation Code Sample

<configuration> <system.web> <authentication> <forms timeout="60" /> </authentication> </system.web> </configuration>

Fixed Code Sample

<configuration> <system.web> <authentication> <forms timeout="5" /> </authentication> </system.web> </configuration>

Reference

https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication https://cwe.mitre.org/data/definitions/613.html OWASP Top 10 2004 -A10-Insecure Configuration Management OWASP Top 10 2007 -A7-Broken Authentication and Session Management OWASP Top 10 2010 -A6-Security Misconfiguration OWASP Top 10 2013 -A2-Broken Authentication and Session Management

Related Technologies

Health Factor

Security

Technical Criterion
Secure Coding - Weak Security Features

About CAST Appmarq

CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.

Benchmark Statistics

Global Compliance

nan%

Total Violations

0

Total Opportunities

0

Average Violations / App.

nan

The compliance score represents 1 minus the ratio between the number of times a rule has been violated compared to the number of opportunities in a set of applications that the rule could have been violated.

Industry Insights

Select from drop-down

91.13%

Software ISV

79.31%

Financial Services

87.78%

Want more stats? Register now!