# Express Insecure Session Configuration

- ID: express-insecure-session
- Severity: HIGH
- CWE: Session Fixation (CWE-384)
- Languages: JavaScript, TypeScript
- Frameworks: express

## Description

Detects insecure session configuration including weak secrets, insecure cookies, and missing security flags.

## Detection Message

Session configuration has security vulnerabilities

## Remediation

Configure sessions with secure settings and environment-based secrets.

```javascript
const session = require('express-session');

app.use(session({
  secret: process.env.SESSION_SECRET,
  cookie: {
    secure: process.env.NODE_ENV === 'production',
    httpOnly: true,
    sameSite: 'strict',
    maxAge: 1000 * 60 * 60 * 24
  },
  resave: false,
  saveUninitialized: false
}));
```

Learn more: https://shoulder.dev/learn/javascript/cwe-384/express-session-configuration

## Documentation

[object Object]

## Related Rules

- **Insecure Session Management** [HIGH]: 
- **Session Fixation Vulnerability** [HIGH]: