Session timeout is caused by user inactivity and is associated with some vulnerabilities, and/or user experience problems.
Some interesting readings about Session Management:
You can test the timeout of a session by sending requests every couple of minutes and analyzing the response.
In order to do this, I use Burp Suite Community Edition and Session Timeout Test extension.
Install Burp Suite Community Edition
Burp Suite is a great tool for pentesting web applications, created by PortSwigger.
- Download it from here: https://portswigger.net/burp/communitydownload
- Install it
- Start it (with temporary project and Burp default config)
- Now your Burp Proxy should listen to 127.0.0.1:8080
Set Burp proxy in your browser
Choose a browser (I use Firefox for this), and set up a proxy to 127.0.0.1:8080 (Burp Suite, default).
In Firefox, you can set it by typing
about:preferences#general in URL bar, and then going to Network Settings.
Or you can use an extension for this. I recommend FoxyProxy (Firefox or Chrome). By using it, you can easily switch between browser proxies. FoxyProxy will look like this (after you configure the Burp proxy):
Install Burp's CA certificate in your browser
Burp Proxy is a traffic interceptor and acts like a proxy (of course). So every request goes through that proxy (In our case, Burp Proxy). If you are using it with HTTPS sites, you need to add the Burp's CA certificate in your browser, as a trusted root certificate. There is support to install the CA certificate for the most common browsers.
Make sure browser proxy is set to Burp Proxy. Before setup the CA certificate, test the connection to https://www.google.com. You should see Secure Connection Failed.
Now continue with Installing Burp's CA Certificate in your browser
If all goes well, you can access HTTPS web pages without any trouble.
Install Session Timeout Test extension
- Open Extender - BApp Store - Search for Session Timeout Test, and Installing
- If you want to see if you have this app installed, go to Proxy - HTTP History, and right click on any request. You should see "Test for Session Timeout"
If you don't have any requests in the HTTP history, enable Intercept (Proxy tab - Intercept) and navigate a little bit.
Burp Suite Features
You already noticed the Burp Proxy. Every request going through it can be easily "changed".
I want to add that Burp Suite has lot of nice features to play with.
- Repeater: If you take a request from HTTP history (or live, by intercepting it), and sending it to the Repeater, you can easily change some things (e.g. Headers, Cookies) and "repeat the request"
- Intruder: I use this to brute force endpoints. It's very nice to customize the payloads. Although it's pretty limited in Community Edition.
- Many other things, so worth playing with it
Test Session Timeout (finally)
Oh, the reason we are here.
What this extension does:
This extension attempts to determine how long it takes for a session to timeout at the server. It issues the same request multiple times with increasing delays until a configured string appears in the response.
To test the session timeout, you need to know how the application behaves when it invalidates the session.
- Open your web application in browser.
- Log in (create an account and log in)
- Go to /my-account or /profile (make sure these requests are going through the Burp Proxy, no intercept necessary)
- Find /my-account request in HTTP history and send it to the Repeater (Right Click - Send to Repeater)
- Go to Repeater and "Send". Read the response (make sure it says you are logged in)
Now you can wait to invalidate your session and send again the same request with the Repeater, to see what happens (what's the response)
In my case, I found that the /my-account endpoint returns a 302. That was caused by a redirect to the /login page.
This process will be done when the response contains 302 Found, or when Maximum Session Duration is reached.
It will return "No timeout detected" or "Session timeout detected: 3 minutes", for example.
During this process, do not send any requests to the application (to have accurate results).
If you already know the session timeout and you just want to verify it, you can change these configuration (a bigger "Interval") to not wait that much.