ColdFusion must set a maximum session timeout value.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-279073 | SRG-APP-000295-AS-000263 | APAS-CF-000555 | SV-279073r1171560_rule | 2025-12-19 | 1 |
| Description |
|---|
| An attacker can take advantage of user sessions that are left open, thus bypassing the user authentication process. To thwart the vulnerability of open and unused user sessions, ColdFusion must be configured to close the sessions when a configured condition or trigger event is met. Such an event is user inactivity. ColdFusion offers an inactivity parameter that allows the setting systemwide for session timeout. ColdFusion also allows a developer to override the default timeout setting and set a new timeout. A maximum setting is provided to control how large a developer can set the timeout. |
| ℹ️ Check |
|---|
| Validate the Session Variable Timeout configuration. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables. 2. Under the "Maximum Timeout" section, locate the setting for "Session Variables". If the timeout value for Session Variables is set to greater than 1 hour, this is a finding. |
| ✔️ Fix |
|---|
| Configure the Session Variable Timeout configuration. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables. 2. Under the "Maximum Timeout" section, locate the setting for "Session Variables". 3. Set the "Session Variables" to "1" hour or fewer. 4. Select "Submit Changes". |