Insufficiently Protected Credentials
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-522: Insufficiently Protected Credentials |
| OWASP | A02:2017 - Broken Authentication |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | High |
Description#
The session middleware is configured without setting an explicit ’expires’ attribute for cookies, which means session cookies may persist longer than intended or until the browser is closed. This can leave sensitive sessions active and increase the risk of unauthorized access.
Impact#
If session cookies do not expire properly, attackers or unauthorized users could reuse old session cookies to gain access to user accounts or sensitive data. This can lead to session hijacking, prolonged exposure of user sessions, and increased risk of credential theft or misuse.