Identify unexpired sessions

[jasonLaster]

Sessions and especially JWTs headers follow a common pattern that can be identified in many cases. If we can find them, we can check for expiration fields and use it to notify users if they have not expired.

JWT:

• look for authorization keys
• look for Bearer
• decode token

Cookie:

• look for set-cookie
• attempt to parse cookie and look for expiration

ath=/; secure; HttpOnly; SameSite=Lax
has_recent_activity=1; path=/; expires=Wed, 24 Nov 2021 17:40:10 GMT; secure; HttpOnly; SameSite=Lax

To be clear, unexpired sessions are one of many possible vulnerabilities, so the goal is not to say that a replay is safe, but instead provide more information to users before they make a replay public or share it with others.