Insufficient Session Expiration
ID |
csharp.insufficient_session_expiration |
Severity |
high |
Resource |
Authentication |
Language |
CSharp |
Tags |
CWE:613, NIST.SP.800-53, OWASP:2021:A7, PCI-DSS:6.5.6 |
Description
Insufficient session expiration: The application does not enforce an adequate expiration time for user sessions, potentially allowing sessions to remain active for an extended period.
Rationale
User sessions are fundamental to web application security and usability, enabling access to protected resources once authenticated. If session expiration is not appropriately configured, sessions may inadvertently remain active long after user access should have been terminated, which could lead to unauthorized access if session identifiers are compromised.
In web applications, setting inadequate proper session timeouts can extend the lifetime of session identifiers, increasing vulnerability to session hijacking.
Different frameworks may have different default session expiration settings, including no expiration at all. It is good practice to set an explicit expiration time for user sessions.
Consider a scenario where a C# web application specify a long session timeout:
var builder = WebApplication.CreateBuilder(args);
// ...
builder.Services.AddSession(options =>
{
options.IdleTimeout = TimeSpan.FromHours(24);
options.Cookie.HttpOnly = true;
options.Cookie.IsEssential = true;
});With this configuration, sessions could remain active one day after the user exits without explicitly logging out, posing a security threat.
Remediation
To fix the excessive session expiration problem, specify a more appropriate session expiration duration. According to the nature of the application, a timeout of 15 minutes is considered adequate in this example:
var builder = WebApplication.CreateBuilder(args);
// ...
builder.Services.AddSession(options =>
{
options.IdleTimeout = TimeSpan.FromMinutes(15);
options.Cookie.HttpOnly = true;
options.Cookie.IsEssential = true;
});To improve session security with web applications, apply the following practices:
-
Configure Session Timeout: When creating sessions, specify an explicit timeout duration programmatically to reinforce the session’s expiration policy.
-
Regular Security Reviews and Testing: Periodically audit session management practices and perform security tests to detect any misconfiguration or emerging threats.
By following these principles, developers can ensure that web applications manage user sessions securely, reducing the risk of session hijacking.
Configuration
The detector has the following configurable parameters:
-
maxExpiration, that indicates the maximum allowed session expiration time in seconds.
References
-
CWE-613 : Insufficient Session Expiration.
-
OWASP - Top 10 2021 Category A07 : Identification and Authentication Failures.