The Apache web server must set an inactive timeout for sessions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-92561	AS24-W2-000650	SV-102649r1_rule		Medium

Description
Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By closing sessions after a set period of inactivity, the web server can make certain that sessions that are not closed through the user logging out of an application are eventually closed. Acceptable values are 5 minutes for high-value applications, 10 minutes for medium-value applications, and 20 minutes for low-value applications.

Description

Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By closing sessions after a set period of inactivity, the web server can make certain that sessions that are not closed through the user logging out of an application are eventually closed. Acceptable values are 5 minutes for high-value applications, 10 minutes for medium-value applications, and 20 minutes for low-value applications.

STIG	Date
Apache Server 2.4 Windows Site Security Technical Implementation Guide	2019-10-03

Details

Check Text ( C-91865r1_chk )
Review the <'INSTALLED PATH'>\conf\httpd.conf file. Verify the "mod_reqtimeout" is loaded. If it does not exist, this is a finding. If the "mod_reqtimeout" module is loaded but the "RequestReadTimeout" directive is not configured, this is a finding.

Fix Text (F-98803r1_fix)
Edit the <'INSTALLED PATH'>\conf\httpd.conf file and load the "mod_reqtimeout" module. Set the "RequestReadTimeout" directive.