{"@ID": "613", "@Name": "Insufficient Session Expiration", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Incomplete", "Description": "According to WASC, \"Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.\"", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "672", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "672", "@View_ID": "1003", "@Ordinal": "Primary"}, {"@Nature": "CanPrecede", "@CWE_ID": "287", "@View_ID": "1000"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": [{"Ordinality": "Primary"}, {"Ordinality": "Resultant"}]}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}, "Technology": [{"@Class": "Web Based", "@Prevalence": "Undetermined"}, {"@Name": "Web Server", "@Prevalence": "Undetermined"}]}, "Modes_Of_Introduction": {"Introduction": [{"Phase": "Architecture and Design"}, {"Phase": "Implementation", "Note": "REALIZATION: This weakness is caused during implementation of an architectural security tactic."}]}, "Common_Consequences": {"Consequence": {"Scope": "Access Control", "Impact": "Bypass Protection Mechanism"}}, "Detection_Methods": {"Detection_Method": {"@Detection_Method_ID": "DM-14", "Method": "Automated Static Analysis", "Description": "Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect \"sources\" (origins of input) with \"sinks\" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)", "Effectiveness": "High"}}, "Potential_Mitigations": {"Mitigation": {"Phase": "Implementation", "Description": "Set sessions/credentials expiration date."}}, "Demonstrative_Examples": {"Demonstrative_Example": {"Intro_Text": "The following snippet was taken from a J2EE web.xml deployment descriptor in which the session-timeout parameter is explicitly defined (the default value depends on the container). In this case the value is set to -1, which means that a session will never expire.", "Example_Code": {"@Nature": "Bad", "@Language": "Java", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null], "xhtml:div": {"@style": "margin-left:1em;", "#text": "<session-timeout>-1</session-timeout>"}, "#text": "[...snipped...]\n                           <session-config></session-config>"}}, "#text": "<web-app></web-app>"}}}}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2025-46344", "Description": "JavaScript SDK does not set an expiration time for JWE tokens related to a session", "Link": "https://www.cve.org/CVERecord?id=CVE-2025-46344"}, {"Reference": "CVE-2024-8888", "Description": "Web interface for a power quality analyzer uses tokens without an expiration date", "Link": "https://www.cve.org/CVERecord?id=CVE-2024-8888"}, {"Reference": "CVE-2024-35206", "Description": "network traffic analyzer for PROFINET networks does not expire sessions", "Link": "https://www.cve.org/CVERecord?id=CVE-2024-35206"}, {"Reference": "CVE-2024-27782", "Description": "AI/ML monitor for IT operations allows re-use of old session tokens due to insufficient session expiration", "Link": "https://www.cve.org/CVERecord?id=CVE-2024-27782"}]}, "Taxonomy_Mappings": {"Taxonomy_Mapping": {"@Taxonomy_Name": "WASC", "Entry_ID": "47", "Entry_Name": "Insufficient Session Expiration"}}, "References": {"Reference": {"@External_Reference_ID": "REF-1520"}}, "Mapping_Notes": {"Usage": "Allowed-with-Review", "Rationale": "This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. However, it can be frequently misused for many different weaknesses related to session expiration. It is being considered for major revisions and/or deprecation.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. See Mintenance Notes.", "Reasons": {"Reason": [{"@Type": "Potential Deprecation"}, {"@Type": "Potential Major Changes"}, {"@Type": "Frequent Misuse"}, {"@Type": "Frequent Misinterpretation"}]}}, "Notes": {"Note": [{"@Type": "Maintenance", "#text": "This CWE entry is being considered\n\t\t   for deprecation.  For many years (as of CWE 4.20), the\n\t\t   intention and usage of this CWE entry has evolved to\n\t\t   include many notions of \"sessions\" that are not specific to\n\t\t   the web. The scope of this entry could be expanded\n\t\t   accordingly, or it could be split into multiple separate\n\t\t   entries.  The original WASC-47 entry [REF-1520] includes\n\t\t   considerations forcing re-authentication for \"inactivity\"\n\t\t   (expiring sessions after a period of inactivity) versus\n\t\t   \"absolute\" (a fixed expiration time), with a goal to \"keep\n\t\t   the lifespan of a session ID as short as possible.\"\n\t\t   However, this CWE has also been used for situations in\n\t\t   which a session is not fully invalidated or terminated upon\n\t\t   logout, which is a different weakness than the original\n\t\t   intention for this entry; however, as of CWE 4.19.1, there\n\t\t   is no entry that covers this other variation. There is also\n\t\t   evidence that this CWE entry is used for session fixation\n\t\t   (CWE-384)."}, {"@Type": "Other", "#text": "The lack of proper session expiration may improve the likely success of certain attacks. For example, an attacker may intercept a session ID, possibly via a network sniffer or Cross-site Scripting attack. Although short session expiration times do not help if a stolen token is immediately used, they will protect against ongoing replaying of the session ID. In another scenario, a user might access a web site from a shared computer (such as at a library, Internet cafe, or open work environment). Insufficient Session Expiration could allow an attacker to use the browser's back button to access web pages previously accessed by the victim."}]}, "Content_History": {"Submission": {"Submission_Name": "WASC", "Submission_Date": "2007-05-07", "Submission_Version": "Draft 6", "Submission_ReleaseDate": "2007-05-07"}, "Modification": [{"Modification_Name": "Sean Eidemiller", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "added/updated demonstrative examples"}, {"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Potential_Mitigations, Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Relationships, Other_Notes, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-03-10", "Modification_Version": "1.3", "Modification_ReleaseDate": "2009-03-10", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-02-16", "Modification_Version": "1.8", "Modification_ReleaseDate": "2010-02-16", "Modification_Comment": "updated Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-09-27", "Modification_Version": "1.10", "Modification_ReleaseDate": "2010-09-27", "Modification_Comment": "updated Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-10-30", "Modification_Version": "2.3", "Modification_ReleaseDate": "2012-10-30", "Modification_Comment": "updated Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-06-23", "Modification_Version": "2.7", "Modification_ReleaseDate": "2014-06-23", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Modes_of_Introduction, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2018-03-27", "Modification_Version": "3.1", "Modification_ReleaseDate": "2018-03-27", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-06-20", "Modification_Version": "3.3", "Modification_ReleaseDate": "2019-06-20", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-10-28", "Modification_Version": "4.6", "Modification_ReleaseDate": "2021-10-28", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Detection_Factors, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Applicable_Platforms, Relationships, Weakness_Ordinalities"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2026-04-30", "Modification_Version": "4.20", "Modification_ReleaseDate": "2026-04-30", "Modification_Comment": "updated Maintenance_Notes, Mapping_Notes, Observed_Examples, References"}]}}
