Failure to effectively enforce session termination.

• May result in collection of additional user data without the user's consent or awareness.

1. Is the logout button easy to find and promoted?

2. Is there an automatic session timeout < 1 week (for critical applications < 1 day)?

3. Are session timeout lengths appropriate to the length required to complete a transaction (long enough) but also to the sensitivity of the data that the session accesses (shorter for higher sensitivity)?

4. A single service can support several combinations of session sensitivity and length.

   1. Each such available session type should be evaluated.

1. Automatic session expiration should be set.

   1. Expiration time could differ widely depending on the criticality of the application and data.

2. Session timeout should be no longer than a week and much shorter for critical use cases.

   1. A best practice for medium criticality (e.g., webmailer, web shop, social network) is one day as default setting.

3. Session timeout should be configurable by the user according to his or her needs.

4. If a user has not used the logout button to finish his session the last time, the user should see a reminder message at next login.

5. If the user is unable to logout, or the logout does not terminate the session completely, data may continue to be collected (e.g., tracking sites the user visits elsewhere).

• When a users forgets to logout from web.de (German mail provider), a popup tells the users at next login that logging out is important for security reasons.

• Facebook does not implement automatic session expiration.

  • The user has to logout manually.

  • In case the user does not actively log out and someone else uses the device he or she can access or manipulate the user’s profile.

• Amazon implements security without a logout button by partitioning the content into different sensitivity levels, and tracking the x-main and session-id cookies.

  • Amazon ensures that only the authenticated user can access personal details, but provides personalized content to a returning user without login.

  • See Sign Out of Your Account

• OWASP Session Management Cheat Sheet

• Carnegie Mellon Guidelines for Data Protection recommends automatic session timeout besides other controls.