Session timeout + reauthentication on sensitive ops
Demonstrate that the organization enforces both inactivity-based session termination within policy-defined thresholds and mandatory reauthentication prior to executing sensitive operations across applicable systems.
Description
What this control does
This control enforces automatic termination of authenticated sessions after a defined period of inactivity and requires users to re-authenticate before performing sensitive operations such as changing passwords, accessing privileged accounts, modifying security settings, or processing financial transactions. Session timeouts reduce the window of opportunity for unauthorized access when users leave workstations unattended, while step-up authentication for sensitive actions ensures that even within an active session, critical operations require fresh credential verification. Together, these mechanisms limit exposure from session hijacking, credential theft, and insider misuse.
Control objective
What auditing this proves
Demonstrate that the organization enforces both inactivity-based session termination within policy-defined thresholds and mandatory reauthentication prior to executing sensitive operations across applicable systems.
Associated risks
Risks this control addresses
- Unauthorized access to active sessions left unattended on shared or public workstations
- Session hijacking via network interception or cross-site scripting attacks exploiting long-lived tokens
- Privilege escalation by attackers who gain limited access and perform sensitive operations without additional verification
- Insider threat actors exploiting dormant sessions to conduct unauthorized transactions or configuration changes
- Compliance violations due to lack of enforced session controls required by regulatory frameworks (PCI-DSS, HIPAA, SOX)
- Data exfiltration or unauthorized modifications performed during extended session windows when users are absent
- Replay attacks leveraging stale session tokens that remain valid beyond acceptable time periods
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's session management policy to identify documented timeout thresholds for different user roles and system classifications, and the list of operations classified as sensitive requiring reauthentication.
- Select a representative sample of in-scope applications, including web applications, remote access portals, administrative consoles, and database management interfaces spanning different risk tiers.
- For each sampled system, retrieve session timeout configuration settings from application servers, identity providers, or session management modules via configuration exports or administrative console screenshots.
- Conduct live testing by authenticating to each sampled system, noting the session start time, remaining idle beyond the documented timeout threshold, and attempting to perform standard actions to confirm automatic session termination occurs.
- Perform step-up authentication testing by logging into sampled systems and attempting sensitive operations such as password changes, permission modifications, or financial transactions to verify that reauthentication prompts appear before completion.
- Review session activity logs or security information and event management (SIEM) data for evidence of timeout enforcement, including session expiration events, forced logout records, and step-up authentication challenges over a 30-day period.
- Interview system administrators and application owners to confirm implementation methods, exception handling procedures, and compensating controls for systems unable to natively support timeout or reauthentication requirements.
- Cross-reference identified timeout values and reauthentication triggers against industry standards (e.g., 15-30 minutes for general applications, 10 minutes for privileged sessions) and regulatory requirements applicable to the organization.
Where this control is tested