Insufficient Session Expiration
| Property | |
|---|---|
| Language | csharp |
| Severity |  |
| CWE | CWE-613: Insufficient Session Expiration |
| OWASP | A02:2017 - Broken Authentication |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | High |
Description#
The code disables JWT token expiration or lifetime validation by setting RequireExpirationTime or ValidateLifetime to false in TokenValidationParameters. This allows tokens to be accepted even after they have expired, which is insecure.
Impact#
If token expiration is not enforced, attackers can reuse stolen or old JWT tokens indefinitely to access protected resources. This undermines authentication, increases the risk of unauthorized access, and can lead to compromised user accounts or sensitive data exposure.