Insufficiently Protected Credentials
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-522: Insufficiently Protected Credentials |
| OWASP | A02:2017 - Broken Authentication |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | High |
Description#
The session middleware is being used without setting an explicit ’expires’ attribute for cookies, causing session cookies to persist until the browser is closed. This can make sessions last longer than intended and weaken session management.
Impact#
Without a set expiration, users who forget to close their browsers may remain logged in indefinitely, increasing the risk of session hijacking if someone gains access to their device. This can lead to unauthorized account access and potential exposure of sensitive user data.