Improper Session Management
A session should ideally end if the user goes inactive. One common practice is to terminate a user session if the inactivity period stretches to a specific time. Not terminating session allows attackers to infiltrate and hijack. It may be possible to hijack sessions of other users as well. Let’s have an example to understand how an attacker may hijack a user session as well as sessions of other users of the system.
A user is using a mobile application. The application communicates with its backend server running on a remote computer. Such communication takes place over a network. An attacker is observing the conversation and has managed to steal the session key. The user minimizes the mobile app, so no communication with the server. The attacker uses the same session key and begins a dialogue with the server. Since the impersonator provides a valid session key, the data and commands sent across are trusted and executed. The attacker sends across a script. The script would store itself at the server-side. It is programmed to pick the session key of all the client sessions that the server participates. The script would then send the keys across to the attacker. The attacker would use the keys to hijack sessions.
It is advisable to implement an auto-logout mechanism for sessions to prevent such infiltrations. Determine a specific period: say 15 minutes. If no dialogue is received from the mobile application for 15 minutes, then the server would terminate the client session, and the user is re-directed to another page.