保護DataHogo
Security Encyclopedia/Deployment Best Practices
mediumCWE-613A07:2021

No Session Timeout

Sessions that never expire stay valid indefinitely, giving attackers unlimited time to use stolen tokens.

How It Works

If a JWT or session token has no expiry, a token stolen from a breach, a leaked log, or a compromised device remains valid forever. The attacker can return months later and the token still works. Session timeouts limit the window of opportunity even when a token is compromised.

Vulnerable Code
// BAD: JWT with no expiry — valid forever
const token = jwt.sign({ userId: user.id }, process.env.JWT_SECRET!);
// No expiresIn — this token never expires
Secure Code
// GOOD: short-lived access token + refresh token pattern
const accessToken = jwt.sign(
  { userId: user.id },
  process.env.JWT_SECRET!,
  { expiresIn: '15m' }  // short-lived access token
);
const refreshToken = generateSecureToken(); // stored in DB with 30-day expiry
// Client uses refresh token to get new access tokens silently

Real-World Example

The 2020 Zoom security audit found that some tokens had no expiry configured. Security researchers demonstrated that a token from a year-old log entry was still valid, allowing them to authenticate as users who had long since changed their passwords.

How to Prevent It

  • Set a short expiry on JWTs (15-60 minutes) and implement a refresh token flow
  • Implement absolute session timeout (e.g., 30 days maximum) regardless of activity
  • Implement idle session timeout (e.g., 2 hours of inactivity) for sensitive applications
  • Store refresh tokens in the database so they can be revoked server-side

Affected Technologies

Node.js

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

NODE_ENV Not Set to Production

medium

Running Node.js without NODE_ENV=production enables verbose error messages, disables caching optimizations, and can activate development-only middleware.

CWE-16A05:2021

Debug Mode Active in Production

medium

Debug mode enabled in production exposes internal state, enables verbose logging, and sometimes activates interactive debugging endpoints that attackers can exploit.

CWE-215A05:2021

No Health Check Endpoint

low

Without a /health endpoint, load balancers and orchestrators can't verify your application is actually working before routing traffic to it.

CWE-778

No Error Monitoring

low

Without error monitoring, production errors are invisible until a user reports them — which most never do.

CWE-778A09:2021