Skip to main content

Insecure functionality - Session management


It is possible to modify the expiration time of an expired session token, making it possible to make the token functional again and continue to query the application.


Perform queries to the application with an expired Token(JWT).


Once session tokens have expired, they should not be reused in future requests.


Attacker from the Internet with a session token.

Expected Remediation Time

⌚ 60 minutes.


Default score using CVSS 3.1. It may change depending on the context of the vulnerability.


  • Attack vector: N
  • Attack complexity: H
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: L
  • Availability: N


  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X


  • Vector string: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 4.8
    • Temporal: 4.8
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

The application verifies the user token before accessing sensitive information

const accessProfiles = (req, res) => {
const user = req.body.user;
const token = req.body.token
if(isuserAuth(user, token)){
//Make request after validating user token
goToProfileInfo(user.username, user.token);

Non compliant code

The application does not verify if the user token has expired

const accessProfiles = (req, res) => {
//Redirecting only with a valid username
const user = req.body.user;
//Make request without validating if user token has expired
goToProfileInfo(user.username, user.token);