Overview

Insufficient session expiration is an attack that happen when a Web application let an attacker to utilize an used session ID rather than to force an application to create new Session ID. This is mainly required for authorization purpose. Due to this, using the old Session ID increases the web application vulnerability to attacks .

Termination of Session Expiration consist of two types :

• Time Out Due to Inactivity: This define the Idle time limit to be allowed for being session Valid.
• Absolute Time Out: This defines the time limit of a particular session should be considered as “Valid l/Session”. During this time limit, application won’t require any authentication of user.

Example

Consider the a person using computer system in a cybe cafe for performing banking transction through XYZ Bank vulnerable website . The person simply login by using his own credentials. But he forgots to do logout from the Bank website. He simply closes the browser and goes away. The new user (attacker) comes and uses the same system. He looks into history of browser and click on the last URL access. Now it’s the User information that is still stored , and session is still valid. So the attacker perform certain transactions pretending as the previous user. But this can’t happen if the Bank application uses the Time out session just for less than 2 min or less. So if the Timeout of the Session will decrease the chance of attack.