Insufficient Session Expiration is a security flaw that lets an application permit an attacker to reuse old session credentials or session IDs, thus exposing an application to attacks that steal or reuse users’ session identifiers. Insufficient Session Expiration can occur when the session timeout is too long or when the session is not properly terminated after the user uses the logout/sign out feature. It can also allow an attacker to use the browser's back button to access webpages previously accessed by the victim.
A web application should invalidate a session after a predefined idle time has passed (a timeout) and provide users the means to invalidate their own sessions, (logout). These simple measures help to keep the lifespan of a session ID as short as possible. To protect against Insufficient Session Expiration attacks, the logout function should be prominently visible to the user, explicitly invalidate a user’s session, and disallow reuse of the session token.