Categories Topics
Description
Session Management

Overview
Session Management is the process to ensure systems and user sessions are secure from session abandonment or when systems are no longer in use.  Examples of user sessions include:
  • Workstation sessions - for tracking state of open applications and user session during log on, log off and browser activities
  • Website sessions - to require user to re-login when session expires after certain time limit is surpassed of user inactivity.  Session information is also used to store information on the server-side using a session identifier (e.g. session ID) and the associated session data (e.g. account name, number, etc.).

Guidelines
Mechanisms should be in place to protect and secure systems when not in use.  For example, workstations and servers should have a log on screen "auto-lock" mechanism: to ensure system will lock after certain period of inactivity and ensure user needs to re-login to re-authenticate session.  The most common best practice is to set the auto-lock feature to 30 minutes for user workstations (to include desktops, laptops and servers). 

This auto-lock feature is valuable to help prevent potential unauthorized access to a system that may have been left unattended.  Users should of course practice good security by locking systems before walking away, but the auto-lock feature will enhance security by enforcing the control.

For website connectivity,  sessions should also be timed out when no longer in use.  Many sensitive websites that have access to Personally Identified Information (PII), financial or other sensitive information may want to ensure session timeout mechanisms are set for a shorter duration (e.g. 15 minutes) for internet-facing or customer-facing websites.  For internal, company-facing (or intranet) applications, 30 minutes or longer may be appropriate to be consistent with workstation session time-out settings.

Organizations may also choose to leverage "Single Sign-on" (or SSO) to allow a user's single ID and password to access multiple applications through a single session.  Organizations should evaluate the business value from improved productivity compared to the security benefits of too strict of session timeout settings.  If sufficient compensating controls exist (e.g. monitoring, access control, workstation auto-lock, etc.), lengthening the SSO session time out to once per day may make good business sense.  More sensitive applications may require timeout sessions to be at least 30 minutes.

In all cases, re-establishment of a timed out session requires system or user re-authentication.  Connection pooling is authorized, but is subject to user inactivity timeout and has a maximum of 24 hours in duration. 

Topic Category
Access Control