Invalidate Session After OAuth Token Expiration [New in Security Center 2.0]

  • Release version: Yokohama
  • Updated January 30, 2025
  • 1 minute to read

    • Configure the glide.authenticate.oauth.post.token.expiration.cookie_auth.disabled property to the secure value to prevent users from continuing to use a session via cookies after the OAuth token used to create the session expires.

    When the glide.authenticate.oauth.post.token.expiration.cookie_auth.disabled property is not set to the secure value of true, a user may continue to use a session via cookies after the OAuth token used to create the session expires. This increases the risk of cookies being leaked and the session being hijacked by a malicious user to access unauthorized resources. Ensure that the glide property glide.authenticate.oauth.post.token.expiration.cookie_auth.disabled is set to true. If the record does not exist in the sys_properties table, the default value is false.

    More information

    Attribute Description
    Configuration name glide.authenticate.oauth.post.token.expiration.cookie_auth.disabled
    Configuration type System Properties (/sys_properties_list.do)
    Data type boolean
    Recommended value true
    Default value For zboot instances, the property is true. For the update instances, the property is false by default.
    Category Session management
    Security risk
    • Severity score: 5.4
    • CVSS score: Medium
    • Security risk details: When this property is not set to the secure value of true, a user may continue to use a session even after the OAuth token used to create the session has expired, increasing the likelihood of the session being hijacked by a malicious user.
    Dependencies and prerequisites None
    Functional impact

    True: Cookie authentication is only honored until the OAuth access token expires; after the expiration, authentication is not honored.

    False: Cookie authentication is honored even after the OAuth access token expires.