Insufficiently Protected Credentials
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-522: Insufficiently Protected Credentials |
| OWASP | A02:2017 - Broken Authentication |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | High |
Description#
Session cookies are being created without an explicit expiration date, causing them to remain valid indefinitely or until the browser is closed. This makes session management less predictable and can lead to persistent sessions beyond what is intended.
Impact#
Without a set expiration, stolen or leaked session cookies can be used by attackers to access user accounts for an unlimited time, increasing the risk of unauthorized access and making it harder to limit session lifespans or enforce logout policies.