Idle Session Timeout Best Practice: Set Up Protection with TIMIFY

Session management is essential for maintaining security and user experience. Sticky sessions ensure consistent user experience by routing user requests to the same server within a load-balancing system. This practice helps maintain session continuity, preventing the loss of important session data such as user preferences and shopping cart items, and is often implemented by tracking sessions through cookies or session IDs.

Introduction to Session Management

Session management is a critical aspect of web application security, as it enables the creation, maintenance, and termination of user sessions. A user session refers to the period during which a user interacts with a web application, and managing these sessions securely is essential to prevent unauthorized access and session hijacking. Effective session management involves several key practices, including generating secure session IDs, configuring idle session timeouts, and implementing multi-factor authentication to enhance security. By focusing on these areas, you can significantly reduce the risk of security breaches and ensure a safer environment for your users.

For service providers, handling customer accounts and personal data is a huge responsibility and managing their security an ongoing battle against new technology and types of attacks.

At TIMIFY we are constantly working to ensure our solution goes above and beyond the recommended security measures, helping to give our clients peace of mind when building their business around our system.

What's the threat to my business?

While security risks should be considered across all your operations, this article is focussed specifically on an issue known as ‘Broken Authentication’.

This refers to an attacker who takes advantage of poor user authentication and session management functions to hijack the identity of a genuine user, and their access to your systems and data.

The Open Web Application Security Project (OWASP), a leading organisation working to improve software security, lists Broken Authentication as the second biggest threat to software systems, stating that its prevalence is usually due to the “design and implementation of most identity and access controls”.

“Once an authenticated session has been established, the session ID (or token) is temporarily equivalent to the strongest authentication method used by the application, such as username and password, passphrases, one-time passwords (OTP), client-based digital certificates, smartcards, or biometrics (such as fingerprint or eye retina).”

– OWASP Session Management Cheat Sheet

Implementing effective session expiry mechanisms is crucial to enhance user security while maintaining usability. Strategies such as using graceful session expiry notifications and setting appropriate expiration times based on application risk can help prevent unauthorized access.

To help combat this threat for TIMIFY clients, we have launched two new features which should be used in conjunction to help secure your session management against attacks.

Reduce session timeout length

This lets you set how long a highly sensitive session identifier (session ID) for an individual user is valid before requiring them to log in again, even if they have been using the system continuously.

With user sessions, security best practice suggests they should be shortened as much as is feasible to minimise an attacker’s window of opportunity to access your account (our default is 48 hours).

It is also important to set common idle timeout ranges based on application risk level. For high-value applications, shorter timeouts of 2-5 minutes are recommended, while low-risk applications can have longer timeouts of 15-30 minutes.

The time limits are simple to set up and can be adjusted by days, hours or minutes.

The examples below show just how easily poorly implemented session length can be exploited.

Scenario #1

A user on a public or shared machine is logged in to TIMIFY. When they finish, they close the browser. However, if the session length is long, it’s possible for an attacker to continue the session just from reopening the browser. Inactive sessions can significantly impact system performance and resource utilization, especially in environments with multiple users or applications.

Even if a user clicks a log out button before leaving the device, if the session is long the session ID remains in existence and could be accessed from anywhere without re-authenticating. It is crucial to securely manage session data, including user ID, to prevent unauthorized access and ensure sensitive information is stored on the server side.

Scenario #2

Hijacking a user session doesn’t even require someone to physically access your machine. Using TIMIFY on an insecure or public Wi-Fi allows an opportunity for an attacker to intercept your browser or internet cookies and use them to access your session without re-authenticating. Implementing an appropriate absolute timeout range based on the risk level of the application is crucial to enhance security against session hijacking. To maintain security, it is crucial to implement measures that require users to re-authenticate after a session time limit or when switching between multiple browser tabs.

Again, if the session is long, this gives the attacker a longer window of opportunity to gain access.

Activate idle session timeout log out

In addition to reducing the session lengths, TIMIFY allows you to further strengthen security with the option to force a session to end after a period of user inactivity.

After a designated idle period, users will be prompted to confirm if they are still using their account. If they don’t respond, they will be logged out.

This protects against attackers gaining access to your system via a logged in machine which has been left unattended for just a few moments.

It can be particularly relevant for service providers, where staff will often be using shared or portable devices while also delivering the service and distracted by a face-to-face interaction.

Exactly how long you should set an inactivity timeout again depends on the nature of the data your system holds, but OWASP gives some general advice below:

“OWASP recommends application builders to implement short idle time outs (2-5 minutes) for applications that handle high-risk data, like financial information. It considers that longer idle time outs (15-30 minutes) are acceptable for low-risk applications.”

The scenarios below show how not having an inactivity timeout in place can quickly be manipulated by attackers.

Scenario #1

A physiotherapist may have a laptop or tablet in a treatment room to have customer details to hand, but frequently leave the device while they treat others or fetch materials.

Likewise, computers in an open plan office, shared workspace or reception area can be accessed when employees leave a machine to assist a visitor, go to the kitchen or use the bathroom.

In just a few moments an attacker can take control of the machine and have an authorised user’s access to your data or steal login information to use later.

A work laptop could be left on a train or in a coffee shop, or simply snatched by a thief.

If there is no inactivity timeout, an attacker can simply take the machine and access your TIMIFY account later, when they are not in a public area. Therefore, both the client and server sides must enforce timeout and expiration guidelines to ensure session security.

With a short inactivity timeout, the window of opportunity is very small and risky for an attacker to exploit in a public area.

Further Security Suggestions

Secure Session IDs

Secure session IDs are essential for preventing session hijacking and brute-force attacks. A secure session ID should be randomly generated, unique, and unpredictable, with a sufficient amount of entropy to prevent guessing or brute-forcing. It is recommended to use a cryptographically secure pseudorandom number generator (CSPRNG) to generate session IDs, ensuring they are at least 128 bits long. Additionally, session IDs should be stored securely on the server-side and transmitted over HTTPS to prevent eavesdropping and tampering. By following these best practices, you can significantly enhance the security of your user sessions and protect against unauthorized access.

Enhancing Security with Multi-Factor Authentication

Multi-factor authentication (MFA) is an effective way to enhance security and prevent unauthorized access to user sessions. MFA requires users to provide additional verification factors, such as a one-time password (OTP) or a client-based digital certificate, in addition to their username and password. This added layer of security makes it more difficult for attackers to gain access to user sessions, even if they have obtained the user’s credentials. MFA can be implemented using various methods, including SMS-based OTP, authenticator apps, or biometric authentication. By incorporating MFA into your session management strategy, you can significantly enhance the security of your web application.

Client-Side Session Management

Client-side session management refers to the management of user sessions on the client-side, using techniques such as cookies, local storage, or token-based authentication. While convenient, client-side session management can be vulnerable to security risks, such as session fixation attacks or cross-site scripting (XSS) attacks, if not implemented properly. To mitigate these risks, it is essential to use secure protocols, such as HTTPS, and to implement proper session expiration and renewal mechanisms. Additionally, client-side session management should be designed to balance security with user convenience, using techniques such as idle timeout policies and absolute timeout values. By following these best practices, you can ensure a secure and user-friendly session management experience.

Involve your team in session management implementation

Session timeout policies require collaboration between your development, IT, and security teams. Developers must implement the technical configurations, IT teams oversee infrastructure and policy enforcement, and security experts guide best practices and compliance alignment. Make sure each team understands their role, and involve them in creating and updating the policy to account for new risks, user feedback, and system changes. For SaaS companies, especially, cross-functional collaboration is critical to ensure consistent, scalable, and compliant session control across all systems and customer accounts.

Conclusion

Setting idle session timeouts is a crucial step in securing your web application and protecting sensitive user data. By implementing best practices for session timeout policies, secure session IDs, multi-factor authentication, and client-side session management, you can significantly enhance the security of your web application and protect against unauthorized access. Remember that security is an ongoing process that requires continuous monitoring, testing, and improvement. By staying informed and proactive, you can ensure that your web application remains secure and resilient against evolving cyber threats.