Quality is delighting customers
If you have access to Web.xml file you can check it. In web.xml file you can check session time out like below...
< session-config >
< session-timeout >120< /session-timeout >
< cookie-config >
< path >/< /path >
< /cookie-config >
< tracking-mode >COOKIE< /tracking-mode >
< /session-config >
That works only with a few technologies. There is plenty of different web technologies, and they all have own way to check the session validity. In some cases it's even embedded to the code, so there isn't simple solution.
Here's one idea: Just wait until the session timeouts. Usually the simplest way to test it, is to open the session at evening, and check at morning if it is valid. Then you have at least the basic idea if the session timeouts at all. If it doesn't, then it just doesn't. Also asking from devs how quickly they should time out and then waiting for that time with timer and see what happens. Or ask them to modify the timeout to smaller so you can see how it behaves at timeout.
Session/Cookies testing is part of web application security testing. You can test the session timeout by following these steps :
"<!-- Session Configuration --> /span>session-config>
"/span>sessionState timeout="1" mode="InProc" />"
2. After checking the session time out. Navigate to appropriate page of the application and leave the page
idle for bit more than session time out time.
Hope this will help!!