Insufficient Session Expiration |
Weakness ID: 613 (Weakness Base) | Status: Incomplete |
Description Summary
Example 1
The following snippet was taken from a J2EE web.xml deployment descriptor in which the session-timeout parameter is explicitly defined (the default value depends on the container). In this case the value is set to -1, which means that a session will never expire.
The lack of proper session expiration may improve the likely success of certain attacks. For example, an attacker may intercept a session ID, possibly via a network sniffer or Cross-site Scripting attack. Although short session expiration times do not help if a stolen token is immediately used, they will protect against ongoing replaying of the session ID. In another scenario, a user might access a web site from a shared computer (such as at a library, Internet cafe, or open work environment). Insufficient Session Expiration could allow an attacker to use the browser's back button to access web pages previously accessed by the victim. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Category | 361 | Time and State | Development Concepts (primary)699 |
ChildOf | Weakness Base | 672 | Operation on a Resource after Expiration or Release | Research Concepts (primary)1000 |
ChildOf | Category | 724 | OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management | Weaknesses in OWASP Top Ten (2004) (primary)711 |
CanPrecede | Weakness Class | 287 | Improper Authentication | Development Concepts699 Research Concepts1000 |
RequiredBy | Compound Element: Composite | 352 | Cross-Site Request Forgery (CSRF) | Research Concepts1000 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
WASC | |||
WASC | 47 | Insufficient Session Expiration |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
WASC | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Sean Eidemiller | Cigital | External | |
added/updated demonstrative examples | ||||
2008-07-01 | Eric Dalci | Cigital | External | |
updated Potential Mitigations, Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Relationships, Other Notes, Taxonomy Mappings | ||||
2009-03-10 | CWE Content Team | MITRE | Internal | |
updated Relationships |