Total Tests:

CWE Glossary

CWE is a trademark of the MITRE Corporation.

Stay in Touch

Get exclusive updates and invitations to our events and webinars:

Your data will stay confidential Private and Confidential

Insufficient Session Expiration [CWE-613]

Insufficient Session Expiration weakness describes a case of insufficient session expiration, which allows an attacker to use existing session identifier to log into the application.

Insufficient Session Expiration [CWE-613]

Created: May 18, 2014
Latest Update: December 28, 2020

Table of Content

  1. Description
  2. Potential impact
  3. Attack patterns
  4. Affected software
  5. Severity and CVSS Scoring
  6. Mitigations
  7. References

Want to have an in-depth understanding of all modern aspects of
Insufficient Session Expiration [CWE-613]? Read carefully this article and bookmark it to get back later, we regularly update this page.

1. Description

Insufficient session expiration weakness is a result of poorly implemented session management. This weakness can arise on design and implementation levels and can be used by attackers to gain unauthorized access to the application.

When handling sessions, web developers can rely either on server tokens or generate session identifiers within the application. Each session should be destroyed after the user hits the log off button, or after a certain period of time, called timeout. Unfortunately, coding errors and server misconfigurations may influence session handling process, which can result in unauthorized access.

Example of vulnerable code
Let’s assume we have an application, which is using cookies to authenticate users. The session identifier is transferred within a cookie and is used by software developers to authenticate visitors.

The session identifier is generated in a secure manner using the “GenerateSecureToken()” function. “ValidateSession()” function performs validation of early generated session.

  1. <?php
  2. if (empty($_COOKIE["SESSION_ID"])):
  3.         $SessionID = GenerateSecureToken();
  4.         setcookie("SESSION_ID",$SessionID, time()*3600);
  5. elseif (ValidateSession($_COOKIE["SESSION_ID"])):
  6.         echo "Hello ".$UserLogin;
  7. else:
  8.         echo "Please, enter your credentials";
  9. endif;
  10. ?>

The vulnerability is introduced due to incorrect usage of the “setcookie()” PHP function. The developer provided extremely long lifetime for the “SESSION_ID” cookie, which means that this session will not expire soon and the owner of the cookie can automatically authenticate within a long period of time. If this cookie is stolen, an attacker can use the session identifier to authenticate against vulnerable application and gain unauthorized access to it with privileges of the compromised user account.

2. Potential impact

An attacker can bypass authentication mechanisms and gain unauthorized access to the web application without providing proper credentials.

How to Detect Insufficient Session Expiration Vulnerabilities
Website Security Test
  • GDPR & PCI DSS Test
  • Website CMS Security Test
  • CSP & HTTP Headers Check
  • WordPress & Drupal Scanning
Try For Free

3. Attack patterns

The following CAPEC (Common Attack Pattern Enumeration and Classification) vector is related to this weakness:

In alternative WASC Threat Classification this vulnerability is described as a weakness under WASC-47 (Insufficient Session Expiration).

4. Affected software

Any multiuser software that uses session-based authentication can be vulnerable to insufficient session expiration weakness.

5. Severity and CVSS Scoring

This weakness should be scored depending on the maximum possible impact and other factors and functionality of the web application. It is usually scored with medium access complexity due to need of victim’s interaction or other actions, which can reveal session identifiers, such as MitM(Man-in-the-Middle) attacks.

If an attacker is able to gain administrative privileges this weakness should be scored as:
6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) - Medium severity.

In case of information disclosure the score will be:
4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) - Medium severity.

6. Mitigations

It is very hard to provide general recommendation on insufficient session expiration weakness, since there can be a variety of cases that can lead to this vulnerability. The main general recommendation – always specify session expiration date, make sure it is not to long and that the user can reset the session using the log off functionality of the application.

If your application uses server-based session tokens, provided by the webserver or language interpreter, make sure that session lifetime is set properly.

7. References

  1. CWE-613: Insufficient Session Expiration []
  2. Insufficient Session Expiration []
  3. Insufficient Session Expiration []

Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to ImmuniWeb is given.

↑ Back to Top
Book a Call Ask a Question
Talk to ImmuniWeb Experts
ImmuniWeb AI Platform
Have a technical question?

Our security experts will answer within
one business day. No obligations.

Have a sales question?
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
Your data will stay private and confidential