logo

Insufficient Session Expiration

Incomplete Base
Structure: Simple
Description

Insufficient session expiration occurs when an application allows old session tokens or IDs to remain valid for too long, letting attackers reuse them to gain unauthorized access.

Extended Description

This vulnerability happens because sessions don't expire quickly or securely enough. Common causes include overly long timeout periods, missing logout functions that invalidate tokens on the server, or sessions that persist indefinitely after a user closes their browser. Attackers can steal these lingering session credentials through techniques like cross-site scripting or session fixation, then impersonate legitimate users long after they've left the application. To prevent this, enforce short, absolute session timeouts, implement secure logout that destroys server-side session data, and tie sessions to client attributes like IP address or user agent. Regularly rotate session IDs after login or privilege changes. While SAST tools can detect the pattern, Plexicus uses AI to analyze session management flows and suggest precise code fixes—like implementing proper invalidation logic—saving hours of manual review and reducing risk across your entire application stack.
Common Consequences 1
Scope: Access Control

Impact: Bypass Protection Mechanism
Detection Methods 1
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Potential Mitigations 1
Phase: Implementation
Set sessions/credentials expiration date.
Demonstrative Examples 1
The following snippet was taken from a J2EE web.xml deployment descriptor in which the session-timeout parameter is explicitly defined (the default value depends on the container). In this case the value is set to -1, which means that a session will never expire.

Code Example:

Bad
Java
java
Modes of Introduction
Architecture and Design
Implementation
Related Weaknesses
ChildOf: Operation on a Resource after Expiration or Release (CWE-672)
ChildOf: Operation on a Resource after Expiration or Release (CWE-672)
CanPrecede: Improper Authentication (CWE-287)
Taxonomy Mapping
  • WASC
Notes
OtherThe lack of proper session expiration may improve the likely success of certain attacks. For example, an attacker may intercept a session ID, possibly via a network sniffer or Cross-site Scripting attack. Although short session expiration times do not help if a stolen token is immediately used, they will protect against ongoing replaying of the session ID. In another scenario, a user might access a web site from a shared computer (such as at a library, Internet cafe, or open work environment). Insufficient Session Expiration could allow an attacker to use the browser's back button to access web pages previously accessed by the victim.