Why
The lack of proper session expiration may improve the likely success of certain attacks. Although short session expiration times do not help if a stolen token is immediately used, they will protect against ongoing replaying of the session ID.
Recommendation
Invalidate user JWT token after log-out, and after a fixed amount of time without receiving a valid request from the logged in user.
Acceptance Criteria
Based on the recommendations, ensure that the finding is addressed for Weave gitops OSS and EE.
What Lack of proper session expiration
Why The lack of proper session expiration may improve the likely success of certain attacks. Although short session expiration times do not help if a stolen token is immediately used, they will protect against ongoing replaying of the session ID.
Recommendation Invalidate user JWT token after log-out, and after a fixed amount of time without receiving a valid request from the logged in user.
Acceptance Criteria
More info