1. Home
  2. CWE Database
  3. CWE-613
Base · Medium

CWE-613: Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

CWE-613 · Base Level ·4 CVEs ·1 Mitigations

Description

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Potential Impact

Access Control

Bypass Protection Mechanism

Demonstrative Examples

The following snippet was taken from a J2EE web.xml deployment descriptor in which the session-timeout parameter is explicitly defined (the default value depends on the container). In this case the value is set to -1, which means that a session will never expire.
Bad
<web-app>
                        [...snipped...]
                           <session-config><session-timeout>-1</session-timeout></session-config>
                     </web-app>

Mitigations & Prevention

Implementation

Set sessions/credentials expiration date.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2025-46344JavaScript SDK does not set an expiration time for JWE tokens related to a session
CVE-2024-8888Web interface for a power quality analyzer uses tokens without an expiration date
CVE-2024-35206network traffic analyzer for PROFINET networks does not expire sessions
CVE-2024-27782AI/ML monitor for IT operations allows re-use of old session tokens due to insufficient session expiration

CWE-672: Operation on a Resource after Expiration or Release

The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revok...

CWE-287: Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is cor...

Taxonomy Mappings

  • WASC: 47 — Insufficient Session Expiration

Frequently Asked Questions

What is CWE-613?

CWE-613 (Insufficient Session Expiration) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

How can CWE-613 be exploited?

Attackers can exploit CWE-613 (Insufficient Session Expiration) to bypass protection mechanism. This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.

How do I prevent CWE-613?

Key mitigations include: Set sessions/credentials expiration date.

What is the severity of CWE-613?

CWE-613 is classified as a Base-level weakness (Medium abstraction). It has been observed in 4 real-world CVEs.