Sessions expire after 15min inactivity for financial ops
Why it matters
An inactivity timeout longer than 15 minutes on a financial application leaves an authenticated session open on an unattended device — a walk-up attacker can initiate a wire transfer, change account details, or exfiltrate account history without needing credentials. CWE-613 (Insufficient Session Expiration) and PCI-DSS 4.0 Req 8.2.8 both mandate short inactivity windows precisely because the attack surface is physical access, not network intrusion. NIST 800-63B also ties session lifetimes to assurance level — higher-value operations demand shorter windows. A 30-minute timeout means every unlocked laptop in a coffee shop is a potential account takeover waiting for an opportunist.
Severity rationale
Critical because any unattended authenticated session with an oversized timeout window grants walk-up or remote session-hijack attackers full financial operation access without requiring credentials.
Remediation
Set the inactivity timeout to 900000ms in src/middleware.ts or src/lib/session.ts and enable rolling reset on each request:
session({
cookie: { maxAge: 15 * 60 * 1000 }, // 900000ms — 15 minutes
rolling: true, // reset window on each request
resave: false,
saveUninitialized: false
})
For route-specific enforcement on high-value paths, wrap them individually:
app.use('/api/transfer', sessionTimeout(15 * 60 * 1000));
Verify the value is no more than 900000ms — not just the session cookie maxAge, but any Redis TTL or server-side store expiry as well.
Detection
- ID:
inactivity-timeout-15min - Severity:
critical - What to look for: Count all session configuration files and quote the actual timeout value found (in milliseconds or minutes). Enumerate all financial operation routes and verify each has an inactivity timeout of no more than 900000ms (15 minutes). A timeout exceeding 15 minutes for financial operations does not count as pass — do not pass if any financial route has a timeout above 900000ms.
- Pass criteria: Session configuration explicitly sets an inactivity timeout of no more than 15 minutes (900000ms) for at least 90% of financial operation routes. Count all financial routes — report the ratio even on pass (e.g., "5 of 5 financial routes have 15min timeout, maxAge: 900000"). Quote the actual timeout value.
- Fail criteria: No inactivity timeout configured, or inactivity timeout exceeds 900000ms (15 minutes) for any financial operation route.
- Skip (N/A) when: The application is API-only with no user-facing financial operations, or session management is delegated entirely to a third-party service — cite the actual service found.
- Detail on fail: Specify the current timeout value. Example:
"Session inactivity timeout is 1800000ms (30 minutes) — exceeds 900000ms (15 minute) maximum for financial operations" - Cross-reference: Check
finserv-session-security.session-lifecycle.absolute-timeout-8hrsfor absolute timeout, andfinserv-session-security.session-lifecycle.timeout-warningfor warning before expiration. - Remediation: Configure your session middleware to enforce a 15-minute inactivity timeout (in
src/middleware.tsorsrc/lib/session.ts):session({ cookie: { maxAge: 15 * 60 * 1000 }, // 15 minutes in milliseconds rolling: true, // Reset timeout on each request resave: false, saveUninitialized: false })app.use('/api/transfer', sessionTimeout(15 * 60 * 1000));
External references
- cwe · CWE-613 — Insufficient Session Expiration
- owasp:2021 · A07
- pci-dss:4.0 · Req 8.2.8 — Idle session timeout ≤15 minutes
- nist:rev5 · AC-12 — Session Termination
Taxons
History
- 2026-04-18·v1.0.0·Initial import from finserv-session-security·automated