| Details | |
|---|---|
| Alert ID | 40013-3 |
| Alert Type | Active |
| Status | beta |
| Risk | High |
| CWE | 384 |
| WASC | 37 |
| Technologies Targeted | All |
| Tags |
CWE-384 OWASP_2017_A05 OWASP_2021_A01 OWASP_2025_A01 POLICY_PENTEST WSTG-V42-SESS-03 |
| More Info |
Scan Rule Help |
Summary
A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means.
Solution
1) Use the 'Expire' or 'Max-Age' cookie directives when setting a cookie containing a session id, to prevent it from being available for prolonged periods of time. 2) Ensure that logout functionality exists, and that it correctly destroys the session. 3) Use other preventative measures to ensure that if a session id is compromised, it may not be exploited.Other Info
session identifier cookie field [JSESSIONID], value [valueA] may be accessed until [Thu, 1 Jan 1970 00:00:01 GMT] (since cookie was received at Thu, 1 Jan 1970 00:00:00 GMT), unless the session is destroyed. The url on which the issue was discovered was flagged as a logon page.References
- https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication
- https://owasp.org/www-community/attacks/Session_fixation
- https://acrossecurity.com/papers/session_fixation.pdf
- https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html