SYM_JSTS_0057 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Insufficiently Protected Credentials
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-522: Insufficiently Protected Credentials |
| OWASP | A02:2017 - Broken Authentication |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | High |
Description
The session middleware is being used without setting an 'expires' property for cookies, which means session cookies may not expire as intended. This can leave sessions open indefinitely, increasing the risk of misuse if a user's device is lost or compromised.
Impact
Without an explicit expiration, attackers could hijack or reuse old session cookies to access user accounts or sensitive data. This undermines session security, potentially leading to unauthorized access and data breaches if sessions remain valid longer than necessary.