Insufficient Session Expiration

Description

The session middleware settings do not include the `maxAge` property, which is used to set the expiration date for cookies. This can lead to sessions remaining active indefinitely, potentially allowing unauthorized access.

Examples

Insecure Code

javascript

const session = require('express-session');
const app = express();
app.use(session({ secret: 'secret' }));

Secure Code

javascript

const session = require('express-session');
const app = express();
app.use(session({ secret: 'secret', cookie: { maxAge: 3600000 } }));

Remediation

Add the `maxAge` property to the session middleware settings to set an expiration date for cookies. For example: `$SESSION({ cookie: { maxAge: 3600000 } })`

Rule Details

Field	Value
ID	CODE-0391
Category	Auth
Severity	MEDIUM
CWE	CWE-613
Confidence	HIGH
Impact	MEDIUM
Likelihood	MEDIUM
Exploitability	MODERATE
Tags	session management, cookie security
OWASP	A2:2017-Broken Authentication, A07:2021-Identification and Authentication Failures

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Insufficient Session Expiration

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

SAST Rules

IaC Rules

License Rules

Insufficient Session Expiration ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

Insufficient Session Expiration

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details