What is the ideal web session timeout?

One of our customers for whom we had performed Mobile App VAPT asked us, what should be the ideal session timeout for their FinTech App?

The answer to this question actually depends of how you answer the below questions–
1. How sensitive or confidential is the data in your App?
2. How much risk are you willing to take by exposing that data?

For starters, the session is created and managed on the server side. By default, either the web service or API or web page in the backend decides the timeout, or the underlying web server decides it via its configuration.
The short answer is…. It depends on your data confidentiality and risk appetite.

To say it in details – If your App doesn’t hold confidential data, you can set the session timeout to 2 hours as well. However, if it holds confidential data like medical records or credit card information, etc. we usually recommend nothing more than 20 minutes. Based on our experience a Web Application is seen to have 15 mins of session timeout.

Below are few typical timeouts as an example:

Applications Session Timrouts
Google Gmail >13 hours
Facebook >10 hours
Twitter >10 hours
Banking Apps in India 4 Minutes
Banking Apps in USA 15 Minutes
Typical HR Portals 5 Minutes
CRMs and SRMs 10 Minutes

Are you looking to get questions like these answered by cyber security professionals and certified ethical hackers? Feel Free To Contact Us.

Proudly powered by WordPress | Theme: Looks Blog by Crimson Themes.