- Ensure that the timeout of session is not too long
- Session is properly invalidate or terminated
- Set appropriate session time out
- Use Tomcat/config/web.xml to set session time out at server level
- Use $Tomcat/webapps/myproje/WEB-INF/web.xml to set session time out at application level
Vulnerable Code
- Session time out is set to unlimited duration
Secure Code
- Session time out is set to 15 mins
Implement Appropriate Session Timeout (Cont’d)
Secure Code:Setting Different Session Timeout for Different Users
Secure Code:Setting Different Session Timeout Programmatically
Cheng® 