STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Adobe ColdFusion Security Technical Implementation Guide

V-279073

CAT II (Medium)

ColdFusion must set a maximum session timeout value.

Rule ID

SV-279073r1171560_rule

STIG

Adobe ColdFusion Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-002385

Discussion

An attacker can take advantage of user sessions that are left open, thus bypassing the user authentication process. To thwart the vulnerability of open and unused user sessions, ColdFusion must be configured to close the sessions when a configured condition or trigger event is met. Such an event is user inactivity. ColdFusion offers an inactivity parameter that allows the setting systemwide for session timeout. ColdFusion also allows a developer to override the default timeout setting and set a new timeout. A maximum setting is provided to control how large a developer can set the timeout.

Check Content

Validate the Session Variable Timeout configuration.

1. From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables.

2. Under the "Maximum Timeout" section, locate the setting for "Session Variables".

If the timeout value for Session Variables is set to greater than 1 hour, this is a finding.

Fix Text

Configure the Session Variable Timeout configuration.

1. From the Admin Console Landing Screen, navigate to Server Settings >> Memory Variables.

2. Under the "Maximum Timeout" section, locate the setting for "Session Variables".

3. Set the "Session Variables" to "1" hour or fewer.

4. Select "Submit Changes".