I have some doubts about session management in mobile applications. I’m testing an app in which:
- There isn’t logout functionality
- Session token doesn’t expire
Due the token doesn’t expire, i was thinking if “FIN.S.0068. unsafe downtime” would apply in this case and if we can talk about “FIN.S.0076. insecure session handling” when there isn’t logout functionality in mobile apps combined with a session token that doesn’t expire.