AAAI-18

Does your application automatically lock the session or log out an account after a period of inactivity?

Explanation

This question is asking whether your application has automatic session timeout functionality that either locks a user's session or logs them out completely after a period of inactivity. Why this matters: Unattended, active sessions pose a significant security risk. If a user walks away from their device without logging out or locking it, someone else could access the application with their privileges. Automatic session timeouts are a basic security control that mitigates this risk by terminating or suspending access after a predetermined period of inactivity. This question is being asked in a security assessment because: 1. It addresses the principle of least privilege by ensuring access is available only when actively needed 2. It helps prevent unauthorized access through abandoned sessions 3. It's a requirement in many security frameworks and regulations (like NIST 800-53, PCI DSS, HIPAA) 4. It demonstrates basic security hygiene in your application design When answering this question, you should: - Clearly state whether your application has automatic session timeout functionality - Specify the default timeout period (e.g., 15 minutes, 30 minutes) - Mention if the timeout period is configurable by administrators - Describe what happens when a timeout occurs (full logout vs. session lock requiring re-authentication) - Note any exceptions or special cases where timeouts might be handled differently

Example Responses

Example Response 1

Yes, our application automatically logs users out after 15 minutes of inactivity This timeout period is configurable by system administrators through the security settings panel, with options ranging from 5 minutes to 8 hours to accommodate different security requirements When a timeout occurs, users are redirected to the login page and must re-authenticate with their credentials to regain access All session data is cleared from memory upon timeout We also display a warning message 2 minutes before the timeout occurs, giving users the option to extend their session if they're still actively working.

Example Response 2

Yes, our application implements both session locking and automatic logout features After 10 minutes of inactivity, the user's session is locked, requiring them to re-enter their password to continue (while preserving their work) If the locked session remains inactive for an additional 20 minutes (30 minutes total inactivity), the user is completely logged out and all session data is terminated These timeout values are hardcoded for our SaaS offering to maintain compliance with our SOC 2 certification requirements, but can be customized for on-premises deployments upon request.

Example Response 3

No, our application currently does not have an automatic session timeout feature Our design philosophy has prioritized user experience and workflow continuity, particularly for our primary user base who often need to reference the application intermittently throughout the day We recognize this as a security gap and have added automatic session timeout to our development roadmap for the next quarter In the interim, we recommend that customers implement compensating controls such as device-level screen locks and security policies requiring users to manually log out when leaving their workstations.

Context

Tab: Product
Category: Authentication, Authorization, and Account Management