Use the glide.guest.active.session.life_span property to control the duration of an active guest's HTTP sessions.
The glide.guest.active.session.life_span property enforces a maximum lifespan on active guest HTTP sessions, irrespective of their session inactivity or the amount of time a user is inactive before their session times out and closes. The configured value is in minutes. A value of zero will disable timing out the active sessions. A larger value could allow an attacker to remain in a stolen session for longer, increasing the possibility of a security incident. This property is limited to guest users, which have low privilege access to an instance.
If you check your PDI , Default value of glide.guest.active.session.life_span property is 0.
Security risk details: Setting the maximum lifespan to a large value gives a bad actor more time within an instance in the event that they steal a session.
Servicenow Recommendation :
To remediate this security vulnerability, set glide.guest.active.session.life_span to a value greater than 0 and less than or equal to 720.
#article #Best Practice #Security
Please mark this response as Helpful & Accept it as solution if it assisted you with your question.Regards
Tanushree Maiti
ServiceNow Technical Architect
Linkedin:
