Definition

Insufficient Session Expiration is a security vulnerability where session duration is not adequately configured, allowing sessions to remain active for an extended period. This can enable attackers to exploit stolen sessions or allow unauthorized access even after a user has logged out.

Vulnerable Points of Occurrence

• All pages that require a session.

Vulnerability Verification Method

• Accessing the "My Page" while logged out to check if the session persists.

Attack Method

Attack Scenario

1. The attacker identifies that sessions are persisting for an extended period due to insufficient session expiration settings.

2. Even after a user logs out, if the session remains valid, the attacker can exploit the stolen session to access the application while impersonating the user.

3. The attacker can then perform illegal actions or abuse the user's privileges.

Attack Flow

1. The user initiates a logout request to the application.

2. The application handles the logout request and expires the session.

3. However, due to insufficient session expiration settings, the session remains valid.

4. The attacker utilizes the stolen session to send requests to the application.

5. The application processes the attacker's request.

Mitigation Measures

• Implement proper session expiration settings. Set session validity periods and automatically expire sessions based on user inactivity.

• Handle session expiration appropriately when a user logs out.