Session ID Expiry Time/Max-Age is Excessive
Reference
Remediation
- Set session expiry time: Configure the session expiry time to be no longer than the average length of time a user might spend in the application. It is typically recommended to set the session length to not be longer than 1 hour.
- Re-establish sessions near timeout: Implement a mechanism to re-establish sessions when they near their timeout. This ensures that sessions remain valid only for the intended duration.
About
Cookies and/or JWTs that manage user sessions have an expiry time that is greater than recommended. This means that the session remains valid for a longer period than necessary.
Risks
Sessions that do not expire pose the risk of an attacker intercepting the user's session data and using it later, typically with XSS vulnerabilities. By extending the session expiry time beyond what is necessary, the window of opportunity for an attacker to exploit a stolen session is increased. This can lead to unauthorized access, data breaches, and potential misuse of user accounts.