Year Of Security for Java – Week 17 – Set a Hard Session Timeout

No Gravatar

What is it and why should I care?

A session timeout is an important security control for any application. It specifies the length of time that an application will allow a user to remain logged in before forcing the user to re-authenticate. There are 2 types: Soft Session Timeouts (last week’s topic) and Hard Session Timeouts (this week’s topic).

A hard session timeout is applied when the user has been logged in for a specific period of time, no matter what.

As an example, lets say we have a system where:
1. Access to the application requires authentication
2. Attempting to access any portion of the application except login (and change/reset pw, etc.) redirects you to the login page.
3. A user logs into your system and uses the system, actively or inactively, for 9 hours and you have a hard session timeout that is set to 9 hours

The net effect of this will be that the next interaction this user has with the system will then redirect them to the login page.

The section above shows what a hard session timeout is and does, but what is it protecting against? Whereas a soft session timeout is angled more towards preventing CSRF and similar attacks, a hard session timeout (while it does help protect against those as well) is helpful to prevent things like the permanent hijacking of an account. If an attacker does overtake an account, they can’t use it forever without re-authentication. For this same reason, you should force authentication (validate old password) whenever a user attempts to change the password of the account.

What should I do about it?

Many applications, even those that avoid the soft session timeout, do include a hard session timeout. Unfortunately, it’s not available simply to Java developers as an option for configuration. That means you have to either roll your own, or look for some existing software outside of the core Java/J2EE options.

In Java, there are a few ways you can enable a hard session timeout:

Option 1: Set timeout in code

There is no specific Java API call to do this. However, you could easily setup a filter (or your handler/interceptor of choice) to perform this task. Essentially it would require you to store the last logged in time of every user and tie that to their authenticated session id. If a request is made using a session id tied to a user who has been logged in > X minutes, invalidate the session, and redirect the request to the login screen. Fairly simple idea.

Option 2: Use a third party library

Though I’m not aware of any libraries off the top of my head that do this, it wouldn’t be hard to theoretically. (If one doesn’t exist, you could always build it and donate it to the community!)

Option 3: SSO sets the timeout

This is not a Java-only option, but still should be mentioned. Many enterprises use large single sign-on (SSO) identity systems to control access to applications. Many of these systems allow you to set the timeout (both a soft timeout and a hard timeout) for an application.

As you can see, the hard session timeout is a useful security control. It allows you to have another layer of protection for your application and your users.


Be Sociable, Share!

Technorati Tags: ,