Insecure session management
Description
The session token does not expire when the user terminates the session and can be used to post requests afterwards.
Impact
- Access the session of a previously authenticated user. - Make enquiries to obtain confidential information. - Obtain business information with valid token.
Recommendation
Ensure the expiration of the session token after the user logs out.
Threat
Anonymous attacker from the Internet with access to a session token.
Expected Remediation Time
⏱️ 60 minutes.