Insufficient Session Expiration

Vulnerability Details

Severity:Medium

Category:Authentication

Description

The application does not properly expire or invalidate sessions after a period of inactivity, after logout, or after a reasonable maximum lifetime.

Risks

Stolen or leaked session tokens remain valid indefinitely, increasing the window for session hijacking. Shared or public computers may retain active sessions for other users to abuse.

Remediation

Implement idle session timeout (e.g., 15-30 minutes for sensitive applications). Set absolute session lifetime limits. Properly invalidate sessions server-side upon logout. Clear session cookies on the client upon logout.

References

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/07-Testing_Session_Timeout