A financial services web application currently keeps authenticated user sessions active indefinitely unless the user explicitly logs out. From a security perspective, which of the following statements BEST describes the implications of this design decision?
It increases the risk of session hijacking because an attacker could reuse an unattended active session.
It is acceptable provided the session cookie is at least 256 bits long and marked Secure and HttpOnly.
It improves security because fewer reauthentication attempts are required, reducing password exposure.
It has no significant security impact as long as HTTPS is used to encrypt the session traffic.
Allowing sessions to remain active without an inactivity timeout exposes the application to session hijacking and unauthorized use of unattended sessions. Industry guidance such as NIST SP 800-63B and the OWASP Session Management Cheat Sheet recommend enforcing idle and absolute session-expiration limits and terminating sessions when users have been inactive for a defined period. Implementing these time-outs shortens the window of opportunity for attackers, whereas simply lengthening the session ID or relying solely on HTTPS does not adequately address the risk.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a timeout policy, and why is it important for web applications?
Open an interactive chat with Bash
What is session hijacking, and how can it affect users?
Open an interactive chat with Bash
What are best practices for session management in web applications?
Open an interactive chat with Bash
ISC2 CISSP
Identity and Access Management (IAM)
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access