Session Management / Session Token Does Not Expire

Description

Session token does not expire is a vulnerability that occurs when an authentication session token does not expire after a certain period of inactivity. This vulnerbility is classified under CWE-613: Insufficient Session Expiration and falls under the category of Session Management (CWE-384). According to the OWASP Testing Guide, this vulnerability can be identified if authentication tokens are found to be reused after a certain period of inactivity.

Risk

This vulnerability can lead to a variety of security risks, such as session hijacking, which can allow an attacker to gain access to the user's account and steal sensitive data. If a malicious user is able to gain access to the user's session token, they can access the account without the user's knowledge. Additionally, an attacker can use the session token to bypass authentication and access the user's account.

Solution

One way to address this vulnerability is to ensure that session tokens are set to expire after a certain period of inactivity. This means that once the token has expired, the user will be required to authenticate again before they can access their account. Additionally, it is important to ensure that session tokens are not reused, as this can lead to the same vulnerability.