Xylok Security Suite must expire a session upon browser closing.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-269572 | XYLK-20-000005 | SV-269572r1053491_rule | CCI-000056 | high |
| Description | ||||
| When the session expires as soon as the browser is closed, it prevents session hijacking and unauthorized users from accessing the account or data if they reopen the browser. Leaving a session open in the browser even after it is closed could expose the system to various types of attacks, like cross-site scripting (XSS) or malware designed to steal session cookies. Automatically expiring sessions mitigates this risk. Satisfies: SRG-APP-000005, SRG-APP-000220, SRG-APP-000295, SRG-APP-000413 | ||||
| STIG | Date | |||
| Xylok Security Suite 20.x Security Technical Implementation Guide | 2024-12-13 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
AC-11
1.00
- DISA · 1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.1.10
1.00
- DISA · 1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000056
1.00
- DISA · 1 · disa_xccdf · related
Details
Check Text (C-269572r1053491_chk)
Verify session expires after browser is closed. Execute the following:
$ grep SESSION_EXPIRE_AT_BROWSER_CLOSE /etc/xylok.conf
SESSION_EXPIRE_AT_BROWSER_CLOSE=True
If "SESSION_EXPIRE_AT_BROWSER_CLOSE" is not set to "True" or is missing, this is a finding.
Fix Text (F-73506r1053490_fix)
Set the session expiration:
1. As root, open /etc/xylok.conf in a text editor.
2. Add/Amend "SESSION_EXPIRE_AT_BROWSER_CLOSE=True" to the configuration file.
3. Restart Xylok to apply settings by executing the following:
# systemctl restart xylok