User session idle timeout
There does not appear to be any idle timeout for user sessions, including those of administrative users (or if there is, I have never seen it in my own testing meaning that it must be in excess of 8 hours).
Ideally this should be a configurable value, but failing that, an inactivity timeout of 1 hour or less should be enforced for administrative accounts at the very minimum. To do not do so is a significant security risk and would definitely be flagged on a penetration test, especially considering the personal data that administrative accounts have access to.
I know there is always a trade-off between usability and security, which is why it would be preferable if the timeout was a configurable value, but a session inactivity timeout that is either entirely absent or lasts many hours is not something I consider an acceptable position given the nature of the application.
Thank you for your feedback.
It is indeed flagged on our pen testing reports, and we took the decision to implement a 24 hour timeout as a balance between usability and security. Any user wanting more granular security control is able to implement Single Sign On with either Google or Microsoft and use the authentication options they offer.
We do use single sign on via Microsoft, but the problem is that after authenticating to Appogee via SSO, the Appogee session is then valid for 24 hours. So it doesn't matter what you configure on the Microsoft/Google side, the session will not be invalidated until 24 hours has passed.
We're a SaaS software company too and 24 hours definitely feels excessive for an inactivity timeout, especially for administrative accounts (it would be reasonable for an absolute timeout, as long as a shorter inactivity timeout was also in place).
1 hour is more reasonable and is the value we use in our software, handling similar types of data (though some of our clients push us for 20 minutes or less!). The risk is not confined to someone physically accessing the logged-in computer (which can be controlled in other ways), it's also that you are creating a much larger window of opportunity for an attacker to obtain/compromise and reuse a valid session.
Session timeouts should be kept as short as possible without materially impacting the usability of the application and considering the sensitivity of the data. Most sources suggest an inactivity timeout of 15-60 mins, e.g. https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#session-expiration
What is the argument to support having such a long inactivity timeout? A user can potentially login once at the beginning of the week, not logout at the end of a working day, and continue to work the following morning without reauthenticating as their session will not have expired. This could give an attacker a window of a whole week to compromise the user's session!