Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer’s view in any way.

Gone on too long, P-8 Missing or Insufficient Session Expiration

posted on July 12, 2022 | tags: [ owasp, privacy ]
Build it right
From OWASP on P-8: Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.

P-8 Missing or Insufficient Session Expiration

The OWASP Top 10 Privacy Risks Project identifies the top 10 privacy risks in web applications, the cloud and the global online ecosystem. In September of 2021, version 2 of the project was released. I'm going to work through the list and discuss each risk, with references and mitigation countermeasures, if they exist.

What is Session? From MDN

Poorly enforced session termination is a significant privacy risk. Sessions may be reused for authorization to access user data without the user's consent or awareness.

This risk can be mitigated by configuring shorter session expiration periods, implementing a logout function and avoiding "infinite" session timeouts.


  1. OWASP Top 10 Privacy Risks Project
  2. OWASP Session Timeout
  3. CWE-613: Insufficient Session Expiration

Image Credit

Photo by Zdeněk Macháček on Unsplash

Quote Credit

Denzel Washington Quotes. (n.d.). BrainyQuote.com. Retrieved July 12, 2022, from BrainyQuote.com Web