PCI Idle Session Timeout general question

Can someone help me understand how the PCI Timeout rules change for an application like the Starbucks App? A user is able to keep their card open ready for scan for longer the 15 minutes if needed, but PCI A11y AA also requires to display a message giving the user a chance to react and keep the session alive.

I understand and have implemented it from an e-commerce approach but am a bit confused on the e-wallet approach.

What attacks are prevented using Session Timeout or Expiry?

OWASP recommends setting session timeouts to minimal value possible, to minimize the time an attacker has to hijack the session:

Session timeout define action window time for a user thus this window represents, in the same time, the delay in which an attacker can try to steal and use a existing user session…

For this, it’s best practices to :

  • Set session timeout to the minimal value possible depending on the context of the application.
  • Avoid “infinite” session timeout.
  • Prefer declarative definition of the session timeout in order to apply global timeout for all application sessions.
  • Trace session creation/destroy in order to analyse creation trend and try to detect anormal session number creation (application profiling phase in a attack).


The most popular methods of session hijacking attacks are session-fixation, packet sniffing, xss and compromise via malware, but these are all real-time attacks on the current session.

Once hijacked, the attacker will be able to prevent an idle timeout (via activity), and I would consider any successful session hijack a security breach anyway (unless you want to argue how much larger than zero seconds of access an attacker can have before it actually counts as an actual breach).

If the original method of getting the session token can be repeated, this seems to further limit the usefulness of a timeout — a 5-minute window that can be repeated indefinitely is effectively not limited.

What real-world attack exists (even theoretically) where a session timeout would be an effective mitigation? Is session expiry really just a form of security-theater?

How might we help customers get back on track from a connection timeout message

I’m designing ‘sad path’ scenarios for checkout and I’m trying to design for helping customers when a connection timeout occurs when the checkout hangs trying to connect to our 3rd party credit card payment form.

When this happens the credit payment form could not get loaded in our checkout environment.

A simple solution is to reload the page.

The UX/UI solution I’m putting forward is an alert message that appears on the page and asks the customer to reload the page.

This is my attempt at making the error message more ‘user-friendly’:

A connection error occurred

An error occurred when we were trying to connect to the system.

Please reload the page to try connecting again.

[ Reload page ] <— button

How do people feel about the above message? Any other solutions you can think of?


cURL timeout error 28 in Site Health and Sucuri SiteCheck

I run a server hosting multiple WordPress installations with the iThemes Security Pro plugin installed. One of the things that this plugin does is it uses Sucuri SiteCheck to scan the site for vulnerabilities: https://sitecheck.sucuri.net/

Recently, SiteCheck has been failing on all of my sites, reporting the following error:

Unable to properly scan your site. Timeout reached 

Coincidentally, the new Site Health WordPress Tool has also been reporting the following error on all my sites:

The REST API is one way WordPress, and other applications, communicate with  the server. One example is the block editor screen, which relies on this to  display, and save, your posts and pages.  The REST API request failed due to an error. Error: [] cURL error 28: Connection timed out after 10000 milliseconds 

I suspect that the issues are related, but I don’t know where to start to fix this issue. I have both Fail2Ban and ModSecurity enabled on my server and on Apache respectively, but the problem still persists when I turn off the services.

Will appreciate if someone could help pinpoint possible issues. SiteCheck has always worked on my server without a hitch.

Ubuntu 18 get timeout on all my SMB mounts, but not Ubuntu 16.04 LTS, Fedora 25 or Windows 7 and 10

I have a couple of SMB mounts on some different Linux machines. Most of them are hosted on a ClearOS 6 or 7 machines and I have never had problems mounting these smb mounts on any earlier Ubuntu version, Fedora or Windows before, but Ubuntu 18.04 always gets a timeout when transferring big lots of data.

Ubuntu 16.04 worked like a charm for years. I do have one Ubuntu 18.04 machine that works great with the SMB, but that was upgraded from 16.04, the clean installed Ubuntu 18.04 machines does get a timeout.

Just checked and the Ubuntu 18 machine that have no problems with my SMB servers runs an older kernel than the ones that are clean installed. Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64)
vs. Ubuntu 18.04.3 LTS (GNU/Linux 5.0.0-29-generic x86_64)
Ubuntu 18.04.3 LTS (GNU/Linux 5.0.0-25-generic x86_64)

I know they aren’t fully updated, but my SMB issues have been present all the time on a clean installed Ubuntu 18.04.

Does anyone have any ideas of why my clean installed Ubuntu 18.04 machines timeout compared to Ubuntu 16.04, Ubuntu 18.04 upgraded from Ubuntu 16.04, Fedora or Windows.

Different tweaks I have tried on the samba servers under [global] to no avail.


Does anyone have any ideas why the timeout only happens on these
Ubuntu 18.04.3 LTS (GNU/Linux 5.0.0-29-generic x86_64)
Ubuntu 18.04.3 LTS (GNU/Linux 5.0.0-25-generic x86_64)

From the log

[2019/09/23 15:22:54.310475,  1] smbd/process.c:457(receive_smb_talloc)   receive_smb_raw_talloc failed for client read error = NT_STATUS_CONNECTION_RESET. [2019/09/23 15:22:54.370419,  1] smbd/service.c:1378(close_cnum)   buntu ( closed connection to service 

And i have this under [global] too

client min protocol = SMB1 client max protocol = SMB3 

I know SMB1 isnt safe anymore but this is on a local LAN only and used in support for older software and Phones at the moment.

Lock screen screen timeout

When I wake up the computer from sleep or manually lock the screen using Super+L the monitor goes out very quickly (~5-10 seconds). Especially after waking up this is annoying as I need to start entering my password fairly quickly to prevent the screen from turning off. How can I set this “screen off when in lock screen timeout”?

I’m on Ubuntu 18.04.02 LTS.

Timeout issues when provisioning service applications SharePoint 2016

I am facing issues with a newly created SharePoint 2016 environment. The farm has 1 WFE, 1 app server, 1 search and 1 SQL server. All servers have 16-20 GB RAM. SharePoint 2016 install is complete and the product and config wizard has been run on all servers except the SQL server. Now I am at the step of creating service applications. The issues faced are:

  1. Service applications created through UI are taking a very long time to create(30 mins from UI and over 2 hours from powershell)
  2. The completion results in a ‘Request timeout error’ / and results in a partially created service application. Usually it doesn’t create the proxy and is the SA is stuck in starting state.
  3. Timeout occurs in the case of Deleting these applications as well hence I have to you the deleteconfiguration stsadm command to delete them and then delete the SA Database manually.
  4. one of the timer jobs ‘UserProfileApplicationProxy – Unified Group Processing High Performance Job’ keeps failing

Service applications that I have tried to create causing issues:

  1. Managed metadata service application
  2. BCS
  3. Usage and health data Collection Service application
  4. User profile service application
  5. Search service application

Resolutions tried: 1. IISRESET 2. Clearing timer job cache 3. Manually creating service applications and proxies using PowerShell and provisioning them. 4. Increasing shutdown time on the application pool for central admin in IIS 5. Installing updates(if any) and running products and config wizard again

I created a Web application and site collection and both of those got created in under 5 minutes.

Could anyone please tell me what may be the reason for the timeouts and why my service applications are breaking?

userdisp.aspx with GroupID timeout and not redirecting to people.aspx?MembershipGroupId on SP 2010

A SharePoint 2010 application has few SiteCollections (say root(/), /SC1 and /SC2).

On SiteCollection SC1, profile link _layouts/userdisp.aspx?ID=_ receiving timeout for two of the four group IDs. But it works when Force=True querystring is added and also I do not see this issue with SC2 and root SiteCollections. On success, it should redirect to _layouts/people.aspx?MembershipGroupID=_. Accessing _layouts/people.aspx?MembershipGroupID=_ directly also works.

Example:  //On SC1, ID = 1 does not work; ID = 2 works  https://example.com/SC1/_layouts/userdisp.aspx?ID=1  //Does not work for user ID 1 https://example.com/SC1/_layouts/userdisp.aspx?ID=1&Force=True  //Works with Force=True https://example.com/SC1/_layouts/people.aspx?MembershipGroupID=1  //Works with people.aspx url https://example.com/SC1/_layouts/userdisp.aspx?ID=2  //Works for group ID 2 https://example.com/SC1/_layouts/userdisp.aspx?ID=25  //Works for user ID 25  //Other SiteCollections https://example.com/_layouts/userdisp.aspx?ID=1  //Works with root https://example.com/SC2/_layouts/userdisp.aspx?ID=1  //Works with SC2 

Note: This issue is occurring only for SharePoint groups, not for user profiles. This site was working for past few years, and this issue just started showing up

ncmpcpp timeout; mpd not working

Ncmpcpp was working just fine before I ran an update and now it gives me a “Timeout while connecting” error, so I cannot use it. I try running mpd and I get this error:

socket: Failed to bind to '': Address already in use 

This is my mpd config file:

music_directory     "~/Music" playlist_directory      "~/Playlists" db_file         "~/.local/share/mpd/mpd.db" log_file            "~/.local/share/mpd/mpd.log" pid_file            "~/.local/share/mpd/mpd.pid" state_file          "~/.local/share/mpd/mpd.state" sticker_file            "~/.local/share/mpd/sticker.sql"  bind_to_address     "localhost" log_level           "default" port                "6600" restore_paused "yes" metadata_to_use "artist,album,title,track,name,genre,date" auto_update "yes"  input {     plugin "curl" }  audio_output {     type        "pulse"     name        "pulse audio" }  audio_output {     type        "fifo"     name        "mpd_fifo"     path        "/tmp/mpd.fifo"     format      "44100:16:2"     host        "localhost" } 

This is the important part of my ncmpcpp config file:

ncmpcpp_directory = ~/.config/ncmpcpp lyrics_directory = ~/.lyrics mpd_music_dir = ~/Music/library mpd_host = localhost mpd_port = 6600 mpd_connection_timeout = 5 

Can someone help me at all? Any guidance at all?