Skip to content

Change default session timeout to 10 minutes for STIG compliance #685

Open
Open
Change default session timeout to 10 minutes for STIG compliance#685
@aaronlippold

Description

@aaronlippold
aaronlippold
opened on Aug 16, 2025

Description

The current default session timeout is 60 minutes, but STIG requires:

  • 10 minutes for administrative users
  • 15 minutes for non-privileged users

Current Implementation

  • Default timeout: 60 minutes (config/vulcan.default.yml:29)
  • Configured via: VULCAN_SESSION_TIMEOUT environment variable

Proposed Changes

  1. Change default timeout in config/vulcan.default.yml from 60 to 10 minutes
  2. Add comments about STIG compliance requirements
  3. Update documentation to reflect the change

Files to Update

  • config/vulcan.default.yml line 29
  • Documentation files referencing session timeout

Acceptance Criteria

  • Default timeout changed to 10 minutes
  • STIG compliance comment added
  • Tests pass with new default
  • Documentation updated

References

  • NIST SP 800-53 AC-12
  • Application Security & Development STIG V-222389, V-222390

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions