Insufficient Session Expiration in firefly-iii/firefly-iii
Feb 19th 2023
Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.
When handling sessions, web developers can rely either on server tokens or generate session identifiers within the application. Each session should be destroyed after the user hits the log off button, or after a certain period of time, called timeout. The application should provide the user the option to log out and destroy the session immediately without waiting for either timer to expire.
Proof of Concept
1- After I login with demo user, I checked the value the expiration fo firefly_session, the value should be "session", not a fixed date and time.
Please check the reference pic
An attacker can steal or hijack unexpired sessions to bypass authentication mechanisms and gain unauthorized access to the web application without providing proper credentials.