cancel
Showing results for 
Search instead for 
Did you mean: 
DanielGabriel
Level 3
Status: Not Planned

Session timeout represents the event occurring when a user does not perform any action on the client application during an interval (defined by a web server). The event, on the server side, changes the status of the user session to ‘invalid’ (i.e.. “not used anymore”) and instructs the web server to destroy it (deleting all data contained in it).

It is recommended to set session timeout to the minimal value possible depending on the context of the application. Usually idle timeouts ranges are 2-5 minutes for high-value applications and 15-30 minutes for low risk applications as per OWASP.

4 Comments
DanielGabriel
Level 3
Status changed to: Not Planned

Hi @DanielGabriel,

Several of our WorkHQ capabilities offer an automatic timeout feature in the event of user inactivity, but given this idea is about Blue Prism Enterprise specifically I can confirm that this feature is not going to be developed as part of the roadmap for our current on-premise product.

As a result of this update, I'm going to move this idea to Not Planned.

Regards,

Rob

DanielGabriel
Level 3

Thanks Rob for your rsponse

Could you please elaborate on any compensatory control that may mitigate the security exposure of this reported vulnerability

Hi @DanielGabriel,

The recommended mechanism for mitigating risks from an unattended session is the OS-enforced screen lock, managed via the domain's Group Policy. This control effectively secures the application by securing the entire user session.

Regards,

Rob