Proactively invalidate inactive sessions [New in Security Center 1.3 and updated in 1.5]

Washington DC Platform security

Release

washingtondc

ft:locale

en-US

ft:publication_title

Washington DC Platform security

ft:clusterId

psec

bundleId

psec

workflow

Platform

Proactively invalidate inactive sessions [New in Security Center 1.3 and updated in 1.5]

Release version: Washingtondc

Updated February 1, 2024

1 minute to read

The glide.active.session.timeout.invalidate.session property controls if a timeout session is proactively invalidated before the Tomcat server.

When glide.active.session.timeout.invalidate.session is not set to true, there can be a small interval of time where a timed out session is not invalidated (60 or more seconds depending on queue size). If a session is hijacked, an attacker may be able to use a session during this small period of time. To remediate this security risk, set glide.active.session.timeout.invalidate.session to true.

More information


Attribute	Description
Configuration name	glide.active.session.timeout.invalidate.session
Configuration type	System Properties (/sys_properties_list.do)
Data type	boolean
Recommended value	true
Default value	false
Category	Session management
Security risk	Severity score: 4.6 CVSS score: Medium Security risk details: Not setting this property to the recommended value of true could cause a timed out session to not be validated. This increases the chances of a bad actor hijacking a session.
Dependencies and prerequisites	None