Web applications  that do not ensure  that all session tokens  (e.g.: cookies) are  properly destroyed or  made unusable, are  prone to session  replay where an  attacker steals the  session identifier by  sniffing and replays  these session tokens  to "resurrect" the  session of a  legitimate user and  virtually impersonate  him/her.

It is recommended 
that the application 
must:
• Implement session 
timeout after about 
15 minutes based on 
business and usability 
requirement and 
measured period of 
inactivity.
OR
• It is recommended 
that the logout 
function effectively 
destroys all session 
token or renders 
them unusable.
OR
• The application 
server performs 
proper checks on 
the session state, 
disallowing an 
attacker to replay 
some previous token)