- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
Insufficient Session Expiration is a security flaw that lets an application permit an attacker to reuse old session credentials or session IDs, thus exposing an application to attacks that steal or reuse users’ session identifiers. Insufficient Session Expiration can occur when the session:
A web application should invalidate a session after a predefined idle time has passed (a timeout) and provide users the means to invalidate their own sessions, (logout). These simple measures help to keep the lifespan of a session ID as short as possible.
To protect against Insufficient Session Expiration attacks, the logout function should be prominently visible to the user, explicitly invalidate a user’s session, and disallow reuse of the session token