Session Cookie with No maxAge

Without Max-Age a session cookie can remain in the browser for a pro-long time. This increases risk of session hijack.

Remediation

Specify Max-Age and set it to a shorted span of time a cookie should remain in the browser.

Metadata

Severity: informational
Slug: session-cookie-with-no-maxage

CWEs

613: Insufficient Session Expiration

OWASP

A02:2021: Cryptographic Failures

Available Labs

Open Typescript labs in SecDim Play for this vulnerability.

easy

Cookie.ts

TypeScript Easy Signature

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.