Insufficiently Protected Credentials
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-522: Insufficiently Protected Credentials |
| OWASP | A02:2017 - Broken Authentication |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | High |
Description#
The session middleware is being used without setting an ’expires’ property for cookies, which means session cookies may not expire as intended. This can leave sessions open indefinitely, increasing the risk of misuse if a user’s device is lost or compromised.
Impact#
Without an explicit expiration, attackers could hijack or reuse old session cookies to access user accounts or sensitive data. This undermines session security, potentially leading to unauthorized access and data breaches if sessions remain valid longer than necessary.