Session ID Expiry Time/Max-Age is Excessive

This means either that your service may have problems with logout functionality or that session ID cookie is set to be valid for an excessive period of time. Therefore a valid session cookie will be stored longer than it actually should, whether the web browser is opened or closed.

This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. It may then allow the attacker to use the session ID and perform further attacks such as Session Fixation[link].

1. Ensure that the logout functionality works as expected and properly destroys the session.
2. Use the 'Expire' or 'Max-Age' cookie directives when setting a cookie containing a session id, to prevent it from being available for prolonged periods of time.
3. Perform other preventative actions to ensure that if a session id is compromised, it may not be exploited.

ScanRepeat verifies session cookie properties and validates values for Expiry Time and Max-Age. It reports every occurrence of such a vulnerability providing the URL of an issue found along with the cookie identifier, value and its expiry time.