cwe-613-insufficient-session-expiration

star 1

Use this skill when you need to remediate CWE-613 (Insufficient Session Expiration) vulnerabilities in Java code. Triggers on SAST findings, security reviews, or when fixing insufficient session expiration issues.

DevelopersCoffee By DevelopersCoffee schedule Updated 3/6/2026
play_arrow Run Skill in Manus View GitHub

name: cwe-613-insufficient-session-expiration description: Use this skill when you need to remediate CWE-613 (Insufficient Session Expiration) vulnerabilities in Java code. Triggers on SAST findings, security reviews, or when fixing insufficient session expiration issues. version: 1.0.0 license: MIT tags:

  • security
  • java
  • cwe-613
  • remediation
  • sast

CWE-613 Insufficient Session Expiration

Description

Insufficient Session Expiration

Reference: https://cwe.mitre.org/data/definitions/613.html

OWASP Category: A07:2021 – Identification and Authentication Failures

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: No session timeout configured
@Configuration
public class SecurityConfig {
    // No session management configured
}

Why it's vulnerable: This pattern is vulnerable to Insufficient Session Expiration

Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Configure session timeout and management
@Configuration
@EnableWebSecurity
public class SecurityConfig {
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.sessionManagement(session -> session
            .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
            .maximumSessions(1)
            .expiredUrl("/session-expired")
        );
        return http.build();
    }
}
// In application.properties:
// server.servlet.session.timeout=30m

Why it's secure: Implements proper protection against Insufficient Session Expiration

Detection Pattern

Look for these patterns in your codebase:

# Find session configuration
grep -rn "sessionManagement\\|session.timeout" --include="*.java" --include="*.properties"

Remediation Steps

  1. Set appropriate session timeout (15-30 minutes for sensitive apps)

  2. Invalidate session on logout

  3. Limit concurrent sessions

  4. Re-authenticate for sensitive operations

Key Imports


import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;

import org.springframework.security.config.http.SessionCreationPolicy;

Verification

After remediation:

  • Run SAST scanner to confirm vulnerability is resolved

  • Review all instances of the vulnerable pattern

  • Add unit tests that verify the secure implementation

  • Check for similar patterns in related code

Trigger Examples

Fix CWE-613 vulnerability
Resolve Insufficient Session Expiration issue
Secure this Java code against insufficient session expiration
SAST reports CWE-613

Common Vulnerable Locations

Layer Files Patterns

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |

References

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07

Install via CLI
npx skills add https://github.com/DevelopersCoffee/java-cwe-security-skills --skill cwe-613-insufficient-session-expiration
Repository Details
star Stars 1
call_split Forks 0
navigation Branch main
article Path SKILL.md
More from Creator
DevelopersCoffee
DevelopersCoffee Explore all skills →