Insufficient Session Expiration

Vulnerability Details

The application does not properly expire or invalidate sessions after a period of inactivity, after logout, or after a reasonable maximum lifetime.

Stolen or leaked session tokens remain valid indefinitely, increasing the window for session hijacking. Shared or public computers may retain active sessions for other users to abuse.

Implement idle session timeout (e.g., 15-30 minutes for sensitive applications). Set absolute session lifetime limits. Properly invalidate sessions server-side upon logout. Clear session cookies on the client upon logout.

• https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/07-Testing_Session_Timeout