[Bug] Session Timeout Not Implemented - Sessions Never Expire

[anshul23102]

Description

User sessions do not have an expiration time. Once a user logs in, their session remains valid indefinitely, even if they don't access the application for months. This increases the window for session hijacking attacks.

Steps to Reproduce

1. User logs in at time T
2. Session token is stored (no expiration date)
3. User does not access the application for 6 months
4. User's old session token still works
5. If token is compromised, attacker has indefinite access

Environment Information

• Framework: Express.js + Session middleware
• Session storage: Memory/Database
• Application version: Current main branch

Expected Behavior

Sessions should expire after a configurable timeout (recommended: 24-30 minutes for sensitive apps). Expired sessions should return 401 Unauthorized.

Actual Behavior

File: backend/server.js or backend/middleware/session.js
Session middleware configured without maxAge or expires property.

Code Reference

File: backend/server.js
Missing: session({ maxAge: 30 * 60 * 1000 }) to set 30-minute timeout

Additional Context

Add session timeout configuration:

session({
  maxAge: 30 * 60 * 1000, // 30 minutes
  rolling: true // Reset timeout on activity
})

GSSoC Points Estimate: Level 2 (Security/Session Management)

Suggested Labels

• gssoc:approved

• type:bug

• severity:high

• area:security

• Searched existing issues, not a duplicate

• Read CONTRIBUTING.md guidelines

• Read README and understand project scope

• Provided clear reproduction steps

• Provided environment information

• Described expected vs. actual clearly