This document has not been formally reviewed for accuracy and is provided "as is" for your convenience.
Summary
Question
2) Are Broken authentication and sessions addressed using secure coding methods. Is this requirement met?
3) RequiredSession Expiration: Server:
Enforce Session Expiration:
Server: Twenty (20) Minutes.
Is this requirement met?
4) RequiredSession Expiration:Workstation:
5) Enforce Session Expiration:
Workstation: Thirty (30) Minutes
Is this requirement met?
Answer
1) Destroy Session Tokens on Logout. Is this requirement met?
Yes, except for HP LWSSO(HP Lightweight Single Sign-on). The value of cookie used for LWSSO is a encrypted string including operator name. Also when configure LWSSO, there is a parameter that can be used to set secure of LWSSO cookie to true. Just for reference, please check example below:
Cookie: LWSSO_COOKIE_KEY=IuhpW5RL2_q80RDSk1ZorPwbfCbKi-rGiRiyxdPdvDKPbxU09fREFH8tT5TLnRUf5ukUJ5w7pZFn-_AcJgnTUcNHgEQFohEsueg7H_mhb5lH6ssnqrlPjGVe0XgmlV68P36f3w7CP6YlYO7j873Xqb-b3_jliZTsiW58-KEkqtWZBKUNaJekz8HOdy-0ZHgQQ7j_c-xAmMAOhiIYdDHjnksCCLvFLqA80GPdHMVCABoCOBnx3lYn-UbJXnap1vFs secure
2) Are Broken authentication and sessions addressed using secure coding methods. Is this requirement met?
Yes and it depends in what authentication method you are using. For reference, please go to the Web Implementation and Administration guides.
3) RequiredSession Expiration: Server:
Enforce Session Expiration:
Server: Twenty (20) Minutes.
Is this requirement met?
Yes, but it must be configured from the server itself in a database level.
4) RequiredSession Expiration:Workstation:
Enforce Session Expiration:
Workstation: Thirty (30) Minutes
Is this requirement met?
Yes, It can be configured by Asset Manager windows client by going to Administration tab and database options. It also depends on how you have configured the authentication method, but there you can find the parameters to change the session expiration.