[OWASP-ESAPI] Idle Timeout

[Jim Manico]

ESAPI's Idle Session Timeout has 2 problems now that I'd like to fix.

 

1)      The (idle) timeout value of 20 minutes is hard-coded into
DefaultUser.isSessionTimeout

 

      public boolean isSessionTimeout() {

            HttpSession session =
ESAPI.httpUtilities().getCurrentRequest().getSession(false);

            if ( session == null ) return true;

            Date deadline = new Date(session.getLastAccessedTime() +
1000 * 60 * 20);

            Date now = new Date();

            return now.after(deadline);

      }

 

2)      Servlet container's configuration setting for idle timeout may
terminate the session prior to ESAPI. Java EE's  session-timeout is
handled via web.xml configuration like so:

 

   <session-config>

        <session-timeout>60</session-timeout>

    </session-config>

 

3)      I still think it's critical that ESAPI has a idle session
timeout function to ensure that a misconfigured ( or buggy) server still
kills the session per ESAPI.

 

I propose that we discuss this issue (servlet containers setting) in the
interace's JavaDoc as well as push session timeout values to the config
file.

 

Cool?

 

 

 

 

 

Jim Manico, Senior Application Security Engineer

jim.manico at aspectsecurity.com <mailto:jim.manico at aspectsecurity.com> 

(301) 604-4882 (work) 

(808) 652-3805 (cell) 

 

Aspect Security(tm)

Securing your applications at the source
<http://www.aspectsecurity.com/aboutaspect.htm> 

http://www.aspectsecurity.com <http://www.aspectsecurity.com> 

 

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20081024/5ffe455c/attachment.html