- Choosing testing environment for VAPT - 24/06/2024
- What is the ideal web session timeout? - 15/05/2023
- Why is it important for companies to plan for internal threats? - 09/02/2023
One of our customers for whom we had performed Mobile App VAPT asked us, what should be the ideal session timeout for their FinTech App?
The answer to this question actually depends of how you answer the below questions–
1. How sensitive or confidential is the data in your App?
2. How much risk are you willing to take by exposing that data?
For starters, the session is created and managed on the server side. By default, either the web service or API or web page in the backend decides the timeout, or the underlying web server decides it via its configuration.
The short answer is…. It depends on your data confidentiality and risk appetite.
To say it in details – If your App doesn’t hold confidential data, you can set the session timeout to 2 hours as well. However, if it holds confidential data like medical records or credit card information, etc. we usually recommend nothing more than 20 minutes. Based on our experience a Web Application is seen to have 15 mins of session timeout.
Below are few typical timeouts as an example:
Applications | Session Timrouts |
---|---|
Google Gmail | >13 hours |
>10 hours | |
>10 hours | |
Banking Apps in India | 4 Minutes |
Banking Apps in USA | 15 Minutes |
Typical HR Portals | 5 Minutes |
CRMs and SRMs | 10 Minutes |
Are you looking to get questions like these answered by cyber security professionals and certified ethical hackers? Feel Free To Contact Us.