Insufficient Session ExpirationID: 613 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: INCOMPLETE |
Abstraction Type: Base |
Description
According to WASC, "Insufficient Session Expiration is when a
web site permits an attacker to reuse old session credentials or session IDs for
authorization."
Applicable PlatformsNone
Time Of Introduction
- Architecture and Design
- Implementation
Common Consequences
Scope | Technical Impact | Notes |
---|
Access_Control | Bypass protection
mechanism | |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Implementation | | Set sessions/credentials expiration date. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-613 ChildOf CWE-898 | Category | CWE-888 | |
Demonstrative Examples (Details)
- The following snippet was taken from a J2EE web.xml deployment
descriptor in which the session-timeout parameter is explicitly defined (the
default value depends on the container). In this case the value is set to
-1, which means that a session will never expire.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
WASC | 47 | Insufficient Session Expiration | |
References:None