Description

This web application has the sessionState property regenerateExpiredSessionId set to false which indicates that expired session IDs will not be regenerated. Session IDs are tokens generated by web applications to uniquely identify an application user's session. When a user logs out, the web application must invalidate the current session ID so they cannot be used anymore.

Remediation

It's recommended to set the sessionState property regenerateExpiredSessionId to true. 

 <sessionState ... regenerateExpiredSessionId="true" />

References

RegenerateExpiredSessionId

Related Vulnerabilities

File Upload Functionality Detected

Spring Boot Misconfiguration: Spring Boot Actuator shutdown endpoint is web exposed

Web server default welcome page

Apache Kafka Unauthorized Access Vulnerability

ASP.NET event validation disabled

Severity

Medium

Classification

CWE-16 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Configuration