Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.
When handling sessions, web developers can rely either on server tokens or generate session identifiers within the application. Each session should be destroyed after the user hits the log off button, or after a certain period of time, called timeout.
The application should provide the user the option to log out and destroy the session immediately without waiting for either timer to expire.
1- After I login with demo user, I checked the value the expiration fo firefly_session, the value should be "session", not a fixed date and time.
Please check the reference pic