OWASP Periodic Table of Vulnerabilities - Insufficient Session Expiration
Insufficient Session Expiration
In order to minimize the time period an attacker can launch attacks over active sessions and hijack them, it is mandatory to set expiration timeouts for every session, establishing the amount of time a session will remain active. Insufficient session expiration by the web application increases the exposure of other session-based attacks, as for the attacker to be able to reuse a valid session ID and hijack the associated session, it must still be active.
The shorter the session interval is, the lesser the time an attacker has to use the valid session ID. The session expiration timeout values must be set accordingly with the purpose and nature of the web application, and balance security and usability, so that the user can comfortably complete the operations within the web application without his session frequently expiring. Both the idle and absolute timeout values are highly dependent on the criticality of the web application and its data. Common idle timeouts ranges are 2-5 minutes for high-value applications and 15- 30 minutes for low risk applications. When a session expires, the web application must take active actions to invalidate the session on both sides, client and server. The latter is the most relevant and mandatory from a security perspective.
For most session exchange mechanisms, client side actions to invalidate the session ID are based on clearing out the token value. For example, to invalidate a cookie it is recommended to provide an empty (or invalid) value for the session ID, and set the “Expires” (or “Max-Age”) attribute to a date from the past (in case a persistent cookie is being used):
Root Cause Summary
Insufficient Session Expiration normally occurs when a programmer does not configure idle timeout in the web framework, or configures the idle timeout to be to long in a web framework. Insufficient Session Expiration can also occur when logout functionality is not implemented or not implemented correctly. Absolute timeout based insufficient session expiration normally occurs when custom absolute timeout functionality is not implemented.
Browser / Standards Solution
Currently, session management is normally implemented with cookies and web frameworks that are custom to each solution. There is work underway to define a new standard for instructing the browser about session timeouts and how to handle them.
Generic Framework Solution
Most web application frameworks provide configuration settings for IDLE timeout.
Custom Framework Solution
Custom Code Solution
Absolute timeout needs to be implemented in a custom way in most web frameworks. The essential logic states that the session must immediately expire when the current time is greater than the absolute timeout length plus the login time.
Discussion / Controversy
Although most web frameworks support idle timeout and few web frameworks support absolute timeout, there are cases where both of these conjectures are not true. Custom session handling mechanisms require much of this logic to be implemented "by hand".