By Default , glide.active.session.timeout.invalidate.session property is set to false
When glide.active.session.timeout.invalidate.session is not set to true, there can be a small interval of time where a timed out session is not invalidated (60 or more seconds depending on queue size).
If a session is hijacked, an attacker may be able to use a session during this small period of time.
Servicenow Recommendation:
Recommendation of ServiceNow is to set glide.active.session.timeout.invalidate.session property value to true.
ref: Proactively invalidate inactive sessions [New in Security Center 1.3 and updated in 1.5 and 2.0] • Z...
#Article #Security #Best Practice
Please mark this response as Helpful & Accept it as solution if it assisted you with your question.Regards
Tanushree Maiti
ServiceNow Technical Architect
Linkedin:
