Insufficiently Protected Credentials
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-522: Insufficiently Protected Credentials |
| OWASP | A02:2017 - Broken Authentication |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | High |
Description#
The session middleware in your Express app is creating cookies without an explicit expiration date. This means session cookies may persist longer than intended, increasing the risk of unauthorized access if a user’s browser is left open.
Impact#
Without setting an expiration date for session cookies, sessions may remain active indefinitely, allowing attackers to hijack sessions if a device is lost or left unattended. This can lead to unauthorized access to user accounts and sensitive data.