Insecure session expiration time - Java

Insecure session expiration time - Java

Need

Enforce secure session expiration time

Context

  • Usage of Java 8 for developing applications with enhanced features and performance improvements
  • Usage of javax.servlet-api for developing Java web applications with Servlets

Description

Non compliant code

        import javax.servlet.http.HttpSession;

public class UserSession {
    public void createSession(HttpServletRequest request) {
        HttpSession session = request.getSession(true);
        // Session created without setting expiration time
    }
}
        
        

In the above code, a new session is created every time the createSession method is called. The getSession(true) method is used to create a new session if the current session does not exist. However, no expiration time is set for the session. This means that the session remains active indefinitely until the server is shut down or the session is invalidated manually.

The absence of an expiration time makes the application vulnerable to attacks. An attacker could potentially hijack the session and gain unauthorized access to sensitive information. Moreover, keeping sessions alive indefinitely can consume significant server resources, leading to performance issues.

This is an insecure practice as it violates the principle of least privilege, which suggests that a session should only remain active for the duration it is needed and no longer. It is recommended to set an expiration time for sessions to mitigate the risk of session hijacking and resource exhaustion.

Steps

  • Set an expiration time for user sessions
  • Implement a mechanism to track user activity and reset the session expiration time
  • Consider using a session management framework or library that handles session expiration automatically
  • Regularly review and update the session expiration time to ensure it meets the security requirements

Compliant code

        import javax.servlet.http.HttpSession;

public class UserSession {
    public void createSession(HttpServletRequest request) {
        HttpSession session = request.getSession(true);
        // Set session to expire after 5 minutes of inactivity
        session.setMaxInactiveInterval(5*60);
    }
}
        
        

The updated code now includes a line that sets the maximum inactive interval for the session. This is done using the setMaxInactiveInterval method of the HttpSession object. The argument to this method is the number of seconds after which the session should expire if there is no activity. In this case, we want the session to expire after 5 minutes of inactivity, so we pass 5*60 (300 seconds) as the argument.

This ensures that if a user does not interact with the application for 5 minutes, their session will automatically expire. This reduces the risk of session hijacking attacks, where an attacker could potentially use an old session to gain unauthorized access to the application.

It's important to note that this is a server-side setting. The session will not expire on the client side after this time, but any request made after this time will result in a new session being created on the server.

Remember to regularly review and update the session expiration time to ensure it meets your application's security requirements.

References