According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Set sessions/credentials expiration date.
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
CVE-2025-46344JavaScript SDK does not set an expiration time for JWE tokens related to a session
CVE-2024-8888Web interface for a power quality analyzer uses tokens without an expiration date
CVE-2024-35206network traffic analyzer for PROFINET networks does not expire sessions
CVE-2024-27782AI/ML monitor for IT operations allows re-use of old session tokens due to insufficient session expiration