[Forgot Password]
Login  Register Subscribe

25354

 
 

132811

 
 

147852

 
 

909

 
 

118110

 
 

156

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Insufficient Session Expiration

ID: 613Date: (C)2012-05-14   (M)2020-06-04
Type: weaknessStatus: INCOMPLETE
Abstraction Type: Base





Description

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Applicable Platforms
None

Time Of Introduction

  • Architecture and Design
  • Implementation

Common Consequences

ScopeTechnical ImpactNotes
Access_Control
 
Bypass protection mechanism
 
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Implementation
 
 Set sessions/credentials expiration date.
 
  

Relationships

Related CWETypeViewChain
CWE-613 ChildOf CWE-898 Category CWE-888  

Demonstrative Examples   (Details)

  1. The following snippet was taken from a J2EE web.xml deployment descriptor in which the session-timeout parameter is explicitly defined (the default value depends on the container). In this case the value is set to -1, which means that a session will never expire.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
WASC 47
 
Insufficient Session Expiration
 
 

References:
None

CVE    59
CVE-2019-4072
CVE-2018-1195
CVE-2019-12001
CVE-2020-8867
...

© SecPod Technologies