Misconfigured Session Expiration
TLDR: Misconfigured session expiration can lead to unauthorized access, session hijacking, and compromised user data. Issues such as overly long session durations, failure to invalidate sessions after logout, or improper handling of idle timeouts undermine the security of web applications and APIs. Proper session expiration policies, an integral part of secure application design, have been emphasized since the early 2000s.
https://en.wikipedia.org/wiki/Session_(computer_science)
One common issue is setting excessively long session expiration times without considering the risk of session hijacking. For example, keeping a session active for hours or days without requiring reauthentication can allow attackers to exploit stolen session tokens. Another frequent problem is failing to invalidate sessions upon logout, leaving active tokens vulnerable to misuse. Similarly, neglecting to enforce idle timeouts enables attackers to exploit unattended or inactive sessions.
https://owasp.org/www-project-top-ten/
To mitigate these risks, developers should configure session expiration policies to balance usability and security, such as setting reasonable durations (e.g., 15-30 minutes of inactivity). Implementing secure logout mechanisms that invalidate tokens on the server side ensures that users cannot reuse old sessions. Tools like JWT (JSON Web Tokens) with short-lived tokens and refresh mechanisms provide an additional layer of security. Regular audits and adherence to best practices ensure robust and secure session management.