[Forgot Password]
Login  Register Subscribe

23631

 
 

115084

 
 

97147

 
 

909

 
 

78730

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Insufficient Session Expiration

ID: 613Date: (C)2012-05-14   (M)2017-11-09
Type: weaknessStatus: INCOMPLETE
Abstraction Type: Base





Description

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Applicable Platforms
None

Time Of Introduction

  • Architecture and Design
  • Implementation

Common Consequences

ScopeTechnical ImpactNotes
Access_Control
 
Bypass protection mechanism
 
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Implementation
 
 Set sessions/credentials expiration date.
 
  

Relationships

Related CWETypeViewChain
CWE-613 ChildOf CWE-898 Category CWE-888  

Demonstrative Examples   (Details)

  1. The following snippet was taken from a J2EE web.xml deployment descriptor in which the session-timeout parameter is explicitly defined (the default value depends on the container). In this case the value is set to -1, which means that a session will never expire.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
WASC 47
 
Insufficient Session Expiration
 
 

References:
None

© 2013 SecPod Technologies