Skip to main content

Insecure session expiration time

Description

User sessions do not expire after 5 minutes of inactivity.

Impact

  • Obtain user information.
  • Upload files to the application without authorization.

Recommendation

Close the sessions when they remain inactive more than 5 minutes.

Threat

Anonymous attacker from local network with access to an unatended session.

Expected Remediation Time

โŒš 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: L
  • Attack complexity: L
  • Privileges required: N
  • User interaction: R
  • Scope: U
  • Confidentiality: L
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 4.4
    • Temporal: 4.4
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

The application sets a timeout limit for session id

app.use(
session({
secret: "secretkey",
resave: true,
saveUninitialized: false,
cookie: {
// Session expires after 5 min of inactivity.
expires: 300000
}
})
);

Non compliant code

The application does not define a secure limit of inactivity before expiring user session

app.use(
session({
secret: "secretkey",
resave: true,
saveUninitialized: false,
cookie: {
//Insecure expiration timeout for sessions
expires: 100*365*24*60*60*1000
}
})
);

Requirements