Insufficient Session Expiration in firefly-iii/firefly-iii


Reported on

Feb 19th 2023


Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.

When handling sessions, web developers can rely either on server tokens or generate session identifiers within the application. Each session should be destroyed after the user hits the log off button, or after a certain period of time, called timeout. The application should provide the user the option to log out and destroy the session immediately without waiting for either timer to expire.

Proof of Concept

1- After I login with demo user, I checked the value the expiration fo firefly_session, the value should be "session", not a fixed date and time. 

Please check the reference pic 

# Impact

An attacker can steal or hijack unexpired sessions to bypass authentication mechanisms and gain unauthorized access to the web application without providing proper credentials.


We are processing your report and will contact the firefly-iii team within 24 hours. a year ago
We have contacted a member of the firefly-iii team and are waiting to hear back a year ago
James Cole validated this vulnerability a year ago
waadahmed has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
James Cole marked this as fixed in 6 with commit 68f398 a year ago
James Cole has been awarded the fix bounty
flashes.twig#L18-L91 has been validated
Waad Albayyali
a year ago


Dear James, Is there a way to receive the vulnerability before 1st of April?

This vulnerability has now been published a year ago
to join this conversation