I recently noticed that large number of CVEs have been filed citing "improper session expiration". The crux of these disclosures are that a session must be invalidated on the server when a user logs out or changes their password. It is not enough to delete the cookie from the browser or to have an expiration set on the cookie. The CVEs all cite https://cwe.mitre.org/data/definitions/613.html as the basis of the disclosure, but this document makes no mention of session invalidation at all, only session expiration.
So what's going here? Are stateless sessions unsafe for use since it is not possible to invalidate them or is this a case of the CVE system simply not working as intended?
Heres a list of a few examples:
https://nvd.nist.gov/vuln/detail/CVE-2019-5638
https://nvd.nist.gov/vuln/detail/CVE-2020-6363
https://nvd.nist.gov/vuln/detail/CVE-2019-7215
https://nvd.nist.gov/vuln/detail/CVE-2020-4253
https://nvd.nist.gov/vuln/detail/CVE-2023-40732
https://nvd.nist.gov/vuln/detail/CVE-2020-6292
