Description: Insufficient session expiration can lead to increased vulnerability to attacks through session hijacking and replay attacks. Implementing proper session expiration mechanisms is crucial for secure web applications.

CWE-724: Vulnerabilities in OWASP Top Ten (2004)

CWE-930: Weaknesses in OWASP Top Ten (2013)

CWE-951: Insecure Authentication Policy Cluster

CWE-1028: Vulnerabilities in OWASP Top Ten (2017)

CWE-1353: Identification and Authentication Failures

CWE-1396: Improper Access Control

Learn about the risks of insufficient session expiration in web applications, strategies to mitigate attacks, and the importance of setting proper session expiration times. Get insights into CWE-613 now!

CWE-613: Insufficient Session Expiration - Vulnerability Overview

Insufficient implementation of session expiration increases the potential success of specific attacks. For instance, by intercepting a session ID through means like network sniffing or Cross-site Scripting attacks, an attacker could exploit vulnerabilities. While having short session expiration times does not prevent immediate misuse of a stolen token, it does offer protection against ongoing replay attacks using the session ID. Additionally, in situations where multiple users access a website from shared devices, like libraries, Internet cafes, or open work environments, inadequate session expiration could enable an attacker to navigate previously visited web pages by exploiting the browser's back button.

CWE-613: Insufficient Session Expiration

Is your System Free of Underlying Vulnerabilities? Find Out Now

Is your System Free of Underlying Vulnerabilities?
Find Out Now