Rule ID
SV-269572r1053491_rule
Version
V1R2
When the session expires as soon as the browser is closed, it prevents session hijacking and unauthorized users from accessing the account or data if they reopen the browser. Leaving a session open in the browser even after it is closed could expose the system to various types of attacks, like cross-site scripting (XSS) or malware designed to steal session cookies. Automatically expiring sessions mitigates this risk. Satisfies: SRG-APP-000005, SRG-APP-000220, SRG-APP-000295, SRG-APP-000413
Verify session expires after browser is closed. Execute the following: $ grep SESSION_EXPIRE_AT_BROWSER_CLOSE /etc/xylok.conf SESSION_EXPIRE_AT_BROWSER_CLOSE=True If "SESSION_EXPIRE_AT_BROWSER_CLOSE" is not set to "True" or is missing, this is a finding.
Set the session expiration:
1. As root, open /etc/xylok.conf in a text editor.
2. Add/Amend "SESSION_EXPIRE_AT_BROWSER_CLOSE=True" to the configuration file.
3. Restart Xylok to apply settings by executing the following:
# systemctl restart xylok