Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer’s view in any way.

Gone on too long, P-8 Missing or Insufficient Session Expiration

posted on July 12, 2022 | tags: [ owasp, privacy ]
Build it right
You pray for rain, you gotta deal with the mud too. That's a part of it. - Denzel Washington

P-8 Missing or Insufficient Session Expiration

The OWASP Top 10 Privacy Risks Project identifies the top 10 privacy risks in web applications, the cloud and the global online ecosystem. In September of 2021, version 2 of the project was released. I'm going to work through the list and discuss each risk, with references and mitigation countermeasures, if they exist.

What is Session? From MDN

Poorly enforced session termination is a significant privacy risk. Sessions may be reused for authorization to access user data without the user's consent or awareness.

This risk can be mitigated by configuring shorter session expiration periods, implementing a logout function and avoiding "infinite" session timeouts.


  1. OWASP Top 10 Privacy Risks Project
  2. OWASP Session Timeout
  3. CWE-613: Insufficient Session Expiration

Image Credit

Photo by Zdeněk Macháček on Unsplash

Quote Credit

Denzel Washington Quotes. (n.d.). BrainyQuote.com. Retrieved July 12, 2022, from BrainyQuote.com Web