2.3  Insufficient Session Expiration

Insufficient Session Expiration is when a web site permits an attacker

to reuse old session credentials or session IDs for authorization.

Insufficient Session Expiration increases a web site's exposure to

attacks that steal or impersonate other users.

Since HTTP is a stateless protocol, web sites commonly use session

IDs to uniquely identify a user from request to request. Consequently,

each session ID s confidentiality must be maintained in order to

prevent multiple users from accessing the same account. A stolen

session ID can be used to view another user s account or perform a

fraudulent transaction.

The lack of proper session expiration may improve the likely success

of certain attacks. For example, an attacker may intercept a session

ID, possibly via a network sniffer or Cross site Scripting attack.

Although short session expiration times do not help if a stolen token

is immediately used, they will protect against ongoing replaying of the

session ID. In another scenario, a user might access a web site from

a shared computer (such as at a library, Internet cafe, or open work

environment). Insufficient Session Expiration could allow an attacker

to use the browser s back button to access web pages previously

accessed by the victim.

A long expiration time increases an attacker s chance of successfully

guessing a valid session ID. The long length of time increases the

number of concurrent and open sessions, which enlarges the pool of

numbers an attacker might guess.

Example

In a shared computing environment (more than one person has

unrestricted physical access to a computer), Insufficient Session

Expiration can be exploited to view another user s web activity. If a

web site s logout function merely sends the victim to the site s home

page without ending the session, another user could go through the

17

Copyright 2004, Web Application Security Consortium. All rights reserved.