Xylok Security Suite must expire a session upon browser closing.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| high | V-269572 | SRG-APP-000005 | XYLK-20-000005 | SV-269572r1053491_rule | 2025-12-04 | 1 |
Description
When the session expires as soon as the browser is closed, it prevents session hijacking and unauthorized users from accessing the account or data if they reopen the browser.
Leaving a session open in the browser even after it is closed could expose the system to various types of attacks, like cross-site scripting (XSS) or malware designed to steal session cookies. Automatically expiring sessions mitigates this risk.
Satisfies: SRG-APP-000005, SRG-APP-000220, SRG-APP-000295, SRG-APP-000413
ℹ️ Check
Verify session expires after browser is closed. Execute the following:
$ grep SESSION_EXPIRE_AT_BROWSER_CLOSE /etc/xylok.conf
SESSION_EXPIRE_AT_BROWSER_CLOSE=True
If "SESSION_EXPIRE_AT_BROWSER_CLOSE" is not set to "True" or is missing, this is a finding.
✔️ Fix
Set the session expiration:
1. As root, open /etc/xylok.conf in a text editor.
2. Add/Amend "SESSION_EXPIRE_AT_BROWSER_CLOSE=True" to the configuration file.
3. Restart Xylok to apply settings by executing the following:
# systemctl restart xylok