Insufficiently Protected Credentials
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-522: Insufficiently Protected Credentials |
| OWASP | A02:2017 - Broken Authentication |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | High |
Description#
When using Express session middleware without setting the ’expires’ property on cookies, session cookies remain valid until the browser is closed, making sessions persistent longer than intended. This increases the risk that unauthorized users could access active sessions if a device is left unattended.
Impact#
If an attacker gains access to a device or intercepts a session, they could use the still-valid session cookie to impersonate the user, potentially exposing sensitive data or functionality. Not expiring cookies properly undermines session security and increases the risk of unauthorized account access.