This article is a part of our Web Security Knowledge Base (back to index)

Why “Session ID Expiry Time/Max-Age is Excessive” can be dangerous

This means either that your service may have problems with logout functionality or that session ID cookie is set to be valid for an excessive period of time. Therefore a valid session cookie will be stored longer than it actually should, whether the web browser is opened or closed.

This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. It may then allow the attacker to use the session ID and perform further attacks such as Session Fixation[link].

How to fix “Session ID Expiry Time/Max-Age is Excessive”

1. Ensure that the logout functionality works as expected and properly destroys the session.
2. Use the 'Expire' or 'Max-Age' cookie directives when setting a cookie containing a session id, to prevent it from being available for prolonged periods of time.
3. Perform other preventative actions to ensure that if a session id is compromised, it may not be exploited.

How does ScanRepeat report “Session ID Expiry Time/Max-Age is Excessive”

ScanRepeat verifies session cookie properties and validates values for Expiry Time and Max-Age. It reports every occurrence of such a vulnerability providing the URL of an issue found along with the cookie identifier, value and its expiry time.

Would you like to test your application now against this problem? Sign up for our free trial

Scan Your Web App Now
Scan your application
for 14 days for free

No credit card is required. No commitment.

Sign Up Free