Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
None
Description
Improvement description
To better comply with the safety standard OWSAP OTG-SESS-006, where it is stated.
Session termination is an important part of the session lifecycle. Reducing to a minimum the lifetime of the session tokens decreases the likelihood of a successful session hijacking attack. This can be seen as a control against preventing other attacks like Cross Site Scripting and Cross Site Request Forgery. Such attacks have been known to rely on a user having an authenticated session present. Not having a secure session termination only increases the attack surface for any of these attacks.
We should log the user session (JSESSIONID) out in all browsers where it is active.
In Confluence this is currently achieved with a “session timeout”, when this timeout value is reached all sessions and cookies linked to the the session are expired irrespective of the browser used.
However this session is only reasonably triggered after some time (without disturbing user experience too much).
This could be accomplished as described below.
https://stackoverflow.com/questions/35276554/spring-security-how-to-expire-all-sessions-of-a-user
Attachments
Issue Links
- relates to
-
CONFSERVER-32683 Force Specific User Session to Expire
- Closed
-
CONFSERVER-40414 Expire all cookies functionality
- Gathering Interest