Insufficient Session Expiration

java.insufficient_session_expiration

Severity

high

Resource

Authentication

Language

Java

Description

Insufficient session expiration: The application does not enforce an adequate expiration time for user sessions, potentially allowing sessions to remain active for an extended period.

Rationale

User sessions are fundamental to web application security and usability, enabling access to protected resources once authenticated. If session expiration is not appropriately configured, sessions may inadvertently remain active long after user access should have been terminated, which could lead to unauthorized access if session identifiers are compromised.

In web applications, setting inadequate proper session timeouts can extend the lifetime of session identifiers, increasing vulnerability to session hijacking.

Different frameworks may have different default session expiration settings, including no expiration at all. It is good practice to set an explicit expiration time for user sessions.

Consider a scenario where a web application does not specify a session timeout:

import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;

public class InsecureSessionServlet extends HttpServlet {
    protected void doGet(HttpServletRequest request, HttpServletResponse response) {
        HttpSession session = request.getSession();
        // Potentially insecure: session duration is not explicitly configured
        // Processing request...
    }
}

Without defining an explicit session expiration, sessions could remain active indefinitely, posing a security threat.

Remediation

To fix the excessive session expiration problem, specify a more appropriate session expiration duration. According to the nature of the application, a timeout of 15 minutes is considered adequate in this example:

import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;

public class SecureSessionServlet extends HttpServlet {
    protected void doGet(HttpServletRequest request, HttpServletResponse response) {
        HttpSession session = request.getSession();
        session.setMaxInactiveInterval(15 * 60); // 15 minutes

        // Processing request...
    }
}

To improve session security with web applications, apply the following practices:

Configure Session Timeout: When creating sessions, specify an explicit timeout duration programmatically to reinforce the session’s expiration policy.
Regular Security Reviews and Testing: Periodically audit session management practices and perform security tests to detect any misconfiguration or emerging threats.

By following these principles, developers can ensure that web applications manage user sessions securely, reducing the risk of session hijacking.

Configuration

The detector has the following configurable parameters:

maxExpiration, that indicates the maximum allowed session expiration time in seconds.

References

CWE-613 : Insufficient Session Expiration.
OWASP - Top 10 2021 Category A07 : Identification and Authentication Failures.