According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Time of Introduction
Architecture and Design
Technical Impact: Bypass protection
The following snippet was taken from a J2EE web.xml deployment
descriptor in which the session-timeout parameter is explicitly defined (the
default value depends on the container). In this case the value is set to
-1, which means that a session will never expire.
Set sessions/credentials expiration date.
The lack of proper session expiration may improve the likely success of
certain attacks. For example, an attacker may intercept a session ID,
possibly via a network sniffer or Cross-site Scripting attack. Although
short session expiration times do not help if a stolen token is immediately
used, they will protect against ongoing replaying of the session ID. In
another scenario, a user might access a web site from a shared computer
(such as at a library, Internet cafe, or open work environment).
Insufficient Session Expiration could allow an attacker to use the browser's
back button to access web pages previously accessed by the victim.