17383: No session termination due to inactivity - LimeSurvey bugs and feature requests

This issue affects 1 person(s).

252

ID	Project	Category	View Status	Date Submitted	Last Update
17383	Bug reports	Security	public	2021-06-22 16:59	2021-06-25 15:14

Reporter	bcanova	Assigned To	ollehar
Priority	none	Severity	minor
Status	closed	Resolution	won't fix
Product Version	3.25.20

Summary	17383: No session termination due to inactivity
Description	The web application does not lock or terminate administrator sessions after a suitable period of inactivity. During testing, the application session was allowed to remain inactive for several days and the session was not automatically locked or terminated. Permitting an excessively long inactivity period presents the opportunity for an unattended session to be accessed by an unauthorized person. In the worst case, this could result in access to or modification (including deletion) of inmate survey data, privilege escalation and access to critical application functions. Note: This does not apply to API tokens, as they automatically expire two hours after creation, unless the user commands earlier expiration.
Steps To Reproduce	During testing, the application session was allowed to remain inactive for several days and the session was not automatically locked or terminated.
Additional Information	A cursory search of LimeSurvey documentation and forums indicates there is no standard setting for terminating an inactive session. Typical advice is to configure this within the web server. In the assessment environment, the /usr/local/etc/php/php.ini file has the line: session.cookie_lifetime = 0 This line configures the PHPSESSID cookie's lifetime to remain valid until the client browser is restarted. For the specific environment used in this assessment, this line should be configured to 600 (seconds). However, such an important security control should be clearly explained in the application's documented and ideally configurable via the application's GUI.
Tags	No tags attached.
Attached Files	image.png (2,360 bytes) image.png (2,360 bytes) image-2.png (24,117 bytes) image-2.png (24,117 bytes) image-3.png (25,154 bytes) image-3.png (25,154 bytes)

Bug heat	252
Complete LimeSurvey version number (& build)	3.27.4
I will donate to the project if issue is resolved	No
Browser	Chrome
Database type & version	MyQL 5.5.9
Server OS (if known)	CentOS 7
Webserver software & version (if known)
PHP Version	7.2.5

User List	There are no users monitoring this issue.

Date Modified	Username	Field	Change
2021-06-22 16:59	bcanova	New Issue
2021-06-22 16:59	bcanova	File Added: image.png
2021-06-22 16:59	bcanova	File Added: image-2.png
2021-06-22 16:59	bcanova	File Added: image-3.png
2021-06-22 17:03	DenisChenu	Note Added: 64987
2021-06-25 15:14	ollehar	Assigned To	=> ollehar
2021-06-25 15:14	ollehar	Status	new => closed
2021-06-25 15:14	ollehar	Resolution	open => won't fix

View Issue Details

Users monitoring this issue

Activities

Issue History

DenisChenu 2021-06-22 17:03 developer ~64987	Server configuration issue . Not LimeSurey issue.