Insufficient Session Expiration

Insufficient Session Expiration is a security flaw that lets an application permit an attacker to reuse old session credentials or session IDs, thus exposing an application to attacks that steal or reuse users’ session identifiers. Insufficient Session Expiration can occur when the session:

• Time out is too long or when the session is not properly terminated after the user uses the logout/sign out feature. It can also allow an attacker to use the browser's back button to access webpages previously accessed by the victim.
• A long expiration time increases an attacker's chance of successfully guessing a valid session ID. The longer the expiration time, the more concurrent open sessions will exist at any given time.
• The larger the pool of sessions, the more likely it will be for an attacker to guess one at random. Although a short session inactivity timeout does not help if a token is immediately used, the short timeout helps to insure that the token is harder to capture while it is still valid.

A web application should invalidate a session after a predefined idle time has passed (a timeout) and provide users the means to invalidate their own sessions, (logout). These simple measures help to keep the lifespan of a session ID as short as possible.

To protect against Insufficient Session Expiration attacks, the logout function should be prominently visible to the user, explicitly invalidate a user’s session, and disallow reuse of the session token