Insufficient Session Expiration| ID: 613 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: INCOMPLETE |
| Abstraction Type: Base |
Description
According to WASC, "Insufficient Session Expiration is when a
web site permits an attacker to reuse old session credentials or session IDs for
authorization."
Applicable PlatformsNone
Time Of Introduction
- Architecture and Design
- Implementation
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Access_Control | Bypass protection
mechanism | |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Implementation | | Set sessions/credentials expiration date. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-613 ChildOf CWE-898 | Category | CWE-888 | |
Demonstrative Examples (Details)
- The following snippet was taken from a J2EE web.xml deployment
descriptor in which the session-timeout parameter is explicitly defined (the
default value depends on the container). In this case the value is set to
-1, which means that a session will never expire.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| WASC | 47 | Insufficient Session Expiration | |
References:None
