Gone on too long, P-8 Missing or Insufficient Session Expiration

posted on July 12, 2022 | tags: [ owasp, privacy ]

You pray for rain, you gotta deal with the mud too. That's a part of it. - Denzel Washington

From OWASP on P-8: Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.

P-8 Missing or Insufficient Session Expiration

The OWASP Top 10 Privacy Risks Project identifies the top 10 privacy risks in web applications, the cloud and the global online ecosystem. In September of 2021, version 2 of the project was released. I'm going to work through the list and discuss each risk, with references and mitigation countermeasures, if they exist.

What is Session? From MDN

Poorly enforced session termination is a significant privacy risk. Sessions may be reused for authorization to access user data without the user's consent or awareness.

This risk can be mitigated by configuring shorter session expiration periods, implementing a logout function and avoiding "infinite" session timeouts.

References

Image Credit

Photo by Zdeněk Macháček on Unsplash

Quote Credit

Denzel Washington Quotes. (n.d.). BrainyQuote.com. Retrieved July 12, 2022, from BrainyQuote.com Web

This post and/or images used in it may have been created or enhanced using generative AI tools for clarity and organization. However, all ideas, technical work, solutions, integrations, and other aspects described here are entirely my own.