Post by sag on Jul 10, 2024 17:29:04 GMT
This feature request is for a new optional behavior and new optional property in SessionService.
The concept of absolute session timeout is simple: if a hijacker intercepts a session token, they should not be able to use it forever by keeping it active. Instead, the admin needs to re-authenticate every now and then, regardless of session activity.
Proposed model: if AbsoluteSessionTimeout property in SessionService is present and is not null, that means that a Redfish instance enforces absolute timeouts of that many seconds for all sessions.
Reference: cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#absolute-timeout
The concept of absolute session timeout is simple: if a hijacker intercepts a session token, they should not be able to use it forever by keeping it active. Instead, the admin needs to re-authenticate every now and then, regardless of session activity.
Proposed model: if AbsoluteSessionTimeout property in SessionService is present and is not null, that means that a Redfish instance enforces absolute timeouts of that many seconds for all sessions.
Reference: cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#absolute-timeout
