{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,27]],"date-time":"2025-10-27T13:04:30Z","timestamp":1761570270655,"version":"build-2065373602"},"publisher-location":"New York, NY, USA","reference-count":63,"publisher":"ACM","funder":[{"name":"National Key R&D Program of China","award":["2022YFB3103900"],"award-info":[{"award-number":["2022YFB3103900"]}]},{"name":"National Natural Science Foundation of China","award":["62402474"],"award-info":[{"award-number":["62402474"]}]},{"name":"National Natural Science Foundation of China","award":["62132020"],"award-info":[{"award-number":["62132020"]}]},{"name":"National Natural Science Foundation of China","award":["62202452"],"award-info":[{"award-number":["62202452"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,6,20]]},"DOI":"10.1145\/3755881.3755895","type":"proceedings-article","created":{"date-parts":[[2025,10,27]],"date-time":"2025-10-27T11:46:17Z","timestamp":1761565577000},"page":"281-292","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["SLVHound: Static Detection of Session Lingering Vulnerabilities in Modern Java Web Applications"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0008-7149-7671","authenticated-orcid":false,"given":"Haining","family":"Meng","sequence":"first","affiliation":[{"name":"SKLP, Institute of Computing Technology, CAS, Beijing, China and University of Chinese Academy of Sciences, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4162-0404","authenticated-orcid":false,"given":"Jie","family":"Lu","sequence":"additional","affiliation":[{"name":"SKLP, Institute of Computing Technology, CAS, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0001-7874-6430","authenticated-orcid":false,"given":"Yongheng","family":"Huang","sequence":"additional","affiliation":[{"name":"SKLP, Institute of Computing Technology, CAS, Beijing, China and University of Chinese Academy of Sciences, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4476-0541","authenticated-orcid":false,"given":"Lian","family":"Li","sequence":"additional","affiliation":[{"name":"SKLP, Institute of Computing Technology, CAS, Beijing, China and University of Chinese Academy of Sciences, Beijing, China"}]}],"member":"320","published-online":{"date-parts":[[2025,10,27]]},"reference":[{"key":"e_1_3_3_1_2_2","unstructured":"Alibaba. 2018. Nacos: An easy-to-use dynamic service discovery configuration and service management platform for building cloud native applications. https:\/\/github.com\/alibaba\/nacos. Accessed: 2024-10-14."},{"key":"e_1_3_3_1_3_2","doi-asserted-by":"publisher","DOI":"10.1145\/3029806.3029838"},{"key":"e_1_3_3_1_4_2","doi-asserted-by":"publisher","DOI":"10.1145\/3385412.3386026"},{"key":"e_1_3_3_1_5_2","unstructured":"Apache DolphinScheduler Project. 2019. Apache DolphinScheduler. https:\/\/github.com\/apache\/dolphinscheduler. Accessed: 2024-10-15."},{"key":"e_1_3_3_1_6_2","unstructured":"Apache InLong Project. 2019. Apache InLong. https:\/\/github.com\/apache\/inlong. Accessed: 2024-10-15."},{"key":"e_1_3_3_1_7_2","doi-asserted-by":"crossref","unstructured":"Michael Burrows Martin Abadi and Roger Needham. 1990. A logic of authentication. ACM Transactions on Computer Systems (TOCS) 8 1 (1990) 18\u201336.","DOI":"10.1145\/77648.77649"},{"key":"e_1_3_3_1_8_2","doi-asserted-by":"crossref","unstructured":"Stefano Calzavara Riccardo Focardi Marco Squarcina and Mauro Tempesta. 2017. Surviving the web: A journey into web session security. ACM Computing Surveys (CSUR) 50 1 (2017) 1\u201334.","DOI":"10.1145\/3038923"},{"key":"e_1_3_3_1_9_2","unstructured":"Common Weakness Enumeration. 2023. CWE-613: Insufficient Session Expiration. Web Page. https:\/\/cwe.mitre.org\/data\/definitions\/613.html [Online; accessed: Access Date]."},{"key":"e_1_3_3_1_10_2","volume-title":"Hibernate - ORM framework","author":"Community Hibernate","year":"2024","unstructured":"Hibernate Community. 2024. Hibernate - ORM framework. https:\/\/hibernate.org\/ Accessed: 2024-10-14."},{"key":"e_1_3_3_1_11_2","unstructured":"MyBatis Community. 2024. MyBatis - Persistence framework. https:\/\/mybatis.org\/mybatis-3\/. Accessed: 2024-10-14."},{"key":"e_1_3_3_1_12_2","doi-asserted-by":"crossref","first-page":"63","DOI":"10.1007\/978-3-540-74320-0_4","volume-title":"Recent Advances in Intrusion Detection","author":"Cova Marco","year":"2007","unstructured":"Marco Cova, Davide Balzarotti, Viktoria Felmetsger, and Giovanni Vigna. 2007. Swaddler: An Approach for the Anomaly-Based Detection of State Violations in Web Applications. In Recent Advances in Intrusion Detection, Christopher Kruegel, Richard Lippmann, and Andrew Clark (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 63\u201386."},{"key":"e_1_3_3_1_13_2","unstructured":"cskefu. 2018. cskefu. Accessed online. https:\/\/github.com\/cskefu\/cskefu [Online; accessed 2025\/08\/12 04:47:06]."},{"key":"e_1_3_3_1_14_2","series-title":"(SSYM\u201909)","first-page":"267","volume-title":"Proceedings of the 18th Conference on USENIX Security Symposium","author":"Dalton Michael","year":"2009","unstructured":"Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich. 2009. Nemesis: preventing authentication & access control vulnerabilities in web applications. In Proceedings of the 18th Conference on USENIX Security Symposium (Montreal, Canada) (SSYM\u201909). USENIX Association, USA, 267\u2013282."},{"volume-title":"10 Session Management Security Best Practices","year":"2024","key":"e_1_3_3_1_15_2","unstructured":"Endgrate. 2024. 10 Session Management Security Best Practices. https:\/\/endgrate.com\/blog\/10-session-management-security-best-practices"},{"key":"e_1_3_3_1_16_2","first-page":"829","volume-title":"33rd USENIX Security Symposium (USENIX Security 24)","author":"Fang Chongzhou","year":"2024","unstructured":"Chongzhou Fang, Ning Miao, Shaurya Srivastav, Jialin Liu, Ruoyu Zhang, Ruijie Fang, Ryan Tsang, Najmeh Nazari, Han Wang, Houman Homayoun, et\u00a0al. 2024. Large language models for code analysis: Do { LLMs} really do their job?. In 33rd USENIX Security Symposium (USENIX Security 24). 829\u2013846."},{"key":"e_1_3_3_1_17_2","doi-asserted-by":"publisher","DOI":"10.5555\/1929820.1929834"},{"key":"e_1_3_3_1_18_2","unstructured":"Apache\u00a0Software Foundation. 2005. Roller: Open Source Java Blog Software. https:\/\/github.com\/apache\/roller. Accessed: 2024-10-14."},{"key":"e_1_3_3_1_19_2","volume-title":"Jakarta Persistence - Specification","author":"Foundation Eclipse","year":"2024","unstructured":"Eclipse Foundation. 2024. Jakarta Persistence - Specification. https:\/\/jakarta.ee\/specifications\/persistence\/ Accessed: 2024-10-14."},{"key":"e_1_3_3_1_20_2","doi-asserted-by":"crossref","first-page":"41","DOI":"10.1109\/ICCKE54056.2021.9721455","volume-title":"2021 11th International Conference on Computer Engineering and Knowledge (ICCKE)","author":"Garmabi Nasrin","year":"2021","unstructured":"Nasrin Garmabi and Mohammad\u00a0Ali Hadavi. 2021. Automatic Detection and Risk Assessment of Session Management Vulnerabilities in Web Applications. In 2021 11th International Conference on Computer Engineering and Knowledge (ICCKE). IEEE, 41\u201347."},{"key":"e_1_3_3_1_21_2","unstructured":"Google. 2024. Guava: Google Core Libraries for Java. https:\/\/github.com\/google\/guava\/wiki\/EventBusExplained Accessed: 2024-10-15."},{"key":"e_1_3_3_1_22_2","unstructured":"Google Project Zero. 2021. Project Zero: Vulnerability Disclosure FAQ. https:\/\/googleprojectzero.blogspot.com\/p\/vulnerability-disclosure-faq.html. Accessed: 2024."},{"key":"e_1_3_3_1_23_2","doi-asserted-by":"crossref","unstructured":"Paul\u00a0A Grassi Elaine\u00a0M Newton Ray\u00a0A Perlner Andrew\u00a0R Regenscheid William\u00a0E Burr Justin\u00a0P Richer Naomi\u00a0B Lefkovitz Jamie\u00a0M Danker Yee-Yin Choong Kristen Greene et\u00a0al. 2017. Digital identity guidelines: authentication and lifecycle management. (2017).","DOI":"10.6028\/NIST.SP.800-63b"},{"key":"e_1_3_3_1_24_2","unstructured":"Graylog2. 2010. Graylog2 Server. https:\/\/github.com\/Graylog2\/graylog2-server."},{"key":"e_1_3_3_1_25_2","doi-asserted-by":"crossref","unstructured":"Md.\u00a0Maruf Hassan Shamima\u00a0Sultana Nipa Marjana Akter Rafita Haque Fabiha\u00a0Nawar Deepa Mostafijur Rahman Mohd.\u00a0Shadab Siddiqui and Md.\u00a0Hasan Sharif. 2018. Broken Authentication and Session Management Vulnerability: A Case Study of Web Application. International journal of simulation: systems science and technology (2018). https:\/\/api.semanticscholar.org\/CorpusID:68089883","DOI":"10.5013\/IJSSST.a.19.02.06"},{"key":"e_1_3_3_1_26_2","first-page":"82","volume-title":"World Congress on Internet Security (WorldCIS-2012)","author":"Huluka Daniel","year":"2012","unstructured":"Daniel Huluka and Oliver Popov. 2012. Root cause analysis of session management and broken authentication vulnerabilities. In World Congress on Internet Security (WorldCIS-2012). 82\u201386."},{"key":"e_1_3_3_1_27_2","unstructured":"IBM. 2006. T.J. Watson Libraries for Analysis (WALA). http:\/\/wala.sourceforge.net\/"},{"key":"e_1_3_3_1_28_2","unstructured":"javahuang. 2005. SurveyKing: Make a better survey system. GitHub repository. https:\/\/github.com\/javahuang\/SurveyKing"},{"key":"e_1_3_3_1_29_2","unstructured":"javahuang. 2023. Issue #7: There is a logout logic vulnerability in the background. https:\/\/github.com\/javahuang\/SurveyKing\/issues\/7. Accessed: 2024-10-12."},{"key":"e_1_3_3_1_30_2","unstructured":"JMPrathab. 2020. MyHome: A Smart Home Management System. https:\/\/github.com\/jmprathab\/MyHome. Accessed: 2024-10-14."},{"key":"e_1_3_3_1_31_2","doi-asserted-by":"publisher","DOI":"10.1145\/3517745.3561446"},{"key":"e_1_3_3_1_32_2","unstructured":"Mete Keltek Rong Hu Mohammadreza\u00a0Fani Sani and Ziyue Li. 2024. LSAST\u2013Enhancing Cybersecurity through LLM-supported Static Application Security Testing. arXiv preprint arXiv:https:\/\/arXiv.org\/abs\/2409.15735 (2024)."},{"key":"e_1_3_3_1_33_2","volume-title":"Redis - In-memory data structure store","author":"Labs Redis","year":"2024","unstructured":"Redis Labs. 2024. Redis - In-memory data structure store. https:\/\/redis.io\/ Accessed: 2024-10-14."},{"key":"e_1_3_3_1_34_2","doi-asserted-by":"publisher","DOI":"10.1109\/IDAACS53288.2021.9660889"},{"key":"e_1_3_3_1_35_2","doi-asserted-by":"publisher","DOI":"10.1145\/2076732.2076767"},{"key":"e_1_3_3_1_36_2","doi-asserted-by":"publisher","DOI":"10.1145\/2133601.2133605"},{"key":"e_1_3_3_1_37_2","unstructured":"Ziyang Li Saikat Dutta and Mayur Naik. 2024. Llm-assisted static analysis for detecting security vulnerabilities. arXiv preprint arXiv:https:\/\/arXiv.org\/abs\/2405.17238 (2024)."},{"key":"e_1_3_3_1_38_2","first-page":"1","volume-title":"2014 International conference on data and software engineering (ICODSE)","author":"Lukanta Raymond","year":"2014","unstructured":"Raymond Lukanta, Yudistira Asnar, and A\u00a0Imam Kistijantoro. 2014. A vulnerability scanning tool for session management vulnerabilities. In 2014 International conference on data and software engineering (ICODSE). IEEE, 1\u20136."},{"key":"e_1_3_3_1_39_2","doi-asserted-by":"crossref","first-page":"369","DOI":"10.1007\/978-3-031-66456-4_20","volume-title":"Engineering of Complex Computer Systems","author":"Meng Haining","year":"2025","unstructured":"Haining Meng, Haofeng Li, Jie Lu, Chenghang Shi, Liqing Cao, Lian Li, and Lin Gao. 2025. AutoWeb: Automatically Inferring Web Framework Semantics via Configuration Mutation. In Engineering of Complex Computer Systems. Springer Nature Switzerland, Cham, 369\u2013389."},{"key":"e_1_3_3_1_40_2","unstructured":"Mindskip. 2019. XZS-MySQL: A repository for MySQL related projects and resources. https:\/\/github.com\/mindskip\/xzs-mysql. Accessed: 2024-10-14."},{"key":"e_1_3_3_1_41_2","volume-title":"MongoDB - The database for modern applications","author":"MongoDB Inc.","year":"2024","unstructured":"Inc. MongoDB. 2024. MongoDB - The database for modern applications. https:\/\/www.mongodb.com\/ Accessed: 2024-10-14."},{"key":"e_1_3_3_1_42_2","doi-asserted-by":"publisher","DOI":"10.1145\/2884781.2884836"},{"key":"e_1_3_3_1_43_2","unstructured":"OpenAI. 2023. OpenAI API. https:\/\/platform.openai.com\/docs Accessed: 2024-10-15."},{"key":"e_1_3_3_1_44_2","unstructured":"OpenAI. 2024. GPT-4o: An Optimized Version of GPT-4. https:\/\/openai.com\/index\/hello-gpt-4o Accessed: 2024-10-15."},{"key":"e_1_3_3_1_45_2","unstructured":"owasp. 2024. Cross Site Request Forgery (CSRF). Web Page. https:\/\/owasp.org\/www-community\/attacks\/csrf [Online; accessed: Access Date]."},{"key":"e_1_3_3_1_46_2","unstructured":"owasp. 2024. Cross Site Scripting (XSS). Web Page. https:\/\/owasp.org\/www-community\/attacks\/xss\/ [Online; accessed: Access Date]."},{"key":"e_1_3_3_1_47_2","unstructured":"Rangeet Pan Ali\u00a0Reza Ibrahimzada Rahul Krishna Divya Sankar Lambert\u00a0Pouguem Wassi Michele Merler Boris Sobolev Raju Pavuluri Saurabh Sinha and Reyhaneh Jabbarvand. 2023. Understanding the effectiveness of large language models in code translation. CoRR (2023)."},{"key":"e_1_3_3_1_48_2","unstructured":"Inc. Pivotal\u00a0Software. 2009. Spring Security. GitHub repository. https:\/\/github.com\/spring-projects\/spring-security"},{"key":"e_1_3_3_1_49_2","unstructured":"Rakan. 2024. JWT can fit as an authentication system with a blacklist technique. Web Page. https:\/\/dev.to\/irakan\/jwt-can-fit-as-an-authentication-system-with-a-blacklist-technique-4ohl [Online; accessed: Access Date]."},{"key":"e_1_3_3_1_50_2","doi-asserted-by":"publisher","DOI":"10.1145\/199448.199462"},{"key":"e_1_3_3_1_51_2","unstructured":"sanluan. 2016. PublicCMS: An open-source content management system. GitHub repository. https:\/\/github.com\/sanluan\/PublicCMS"},{"key":"e_1_3_3_1_52_2","unstructured":"Shopizer. 2013. Shopizer: Open Source e-commerce Software. https:\/\/github.com\/shopizer-ecommerce\/shopizer. Accessed: 2024-10-14."},{"key":"e_1_3_3_1_53_2","unstructured":"TIOBE Software. 2024. TIOBE Programming Community Index. https:\/\/www.tiobe.com\/tiobe-index\/. Accessed: January 2024."},{"key":"e_1_3_3_1_54_2","doi-asserted-by":"publisher","DOI":"10.5555\/2554511.2554523"},{"key":"e_1_3_3_1_55_2","volume-title":"How long should a session absolute timeout be?","author":"StackExchange Security","year":"2015","unstructured":"Security StackExchange. 2015. How long should a session absolute timeout be?https:\/\/security.stackexchange.com\/questions\/106786\/how-long-should-a-session-absolute-timeout-be"},{"key":"e_1_3_3_1_56_2","volume-title":"How do big websites have practically infinite session duration?","author":"StackExchange Security","year":"2021","unstructured":"Security StackExchange. 2021. How do big websites have practically infinite session duration?https:\/\/security.stackexchange.com\/questions\/256438\/how-do-big-websites-have-practically-infinite-session-duration"},{"key":"e_1_3_3_1_57_2","doi-asserted-by":"publisher","DOI":"10.1145\/1772690.1772869"},{"key":"e_1_3_3_1_58_2","doi-asserted-by":"publisher","DOI":"10.1109\/PST.2012.6297927"},{"key":"e_1_3_3_1_59_2","unstructured":"TaleLin. 2019. Lin-CMS-Spring-Boot: A simple and practical CMS implemented with Spring Boot. https:\/\/github.com\/TaleLin\/lin-cms-spring-boot. Accessed: 2024-10-14."},{"key":"e_1_3_3_1_60_2","volume-title":"Spring Data JPA - Reference Documentation","author":"Team The\u00a0Spring","year":"2024","unstructured":"The\u00a0Spring Team. 2024. Spring Data JPA - Reference Documentation. https:\/\/docs.spring.io\/spring-data\/jpa\/docs\/current\/reference\/html\/"},{"key":"e_1_3_3_1_61_2","doi-asserted-by":"crossref","unstructured":"Steve Vinoski. 2002. Chain of responsibility. IEEE Internet Computing 6 6 (2002) 80\u201383.","DOI":"10.1109\/MIC.2002.1067742"},{"key":"e_1_3_3_1_62_2","unstructured":"Vladyslav-Team. 2023. Backend: A repository for backend development. https:\/\/github.com\/Vladyslav-Team\/backend. Accessed: 2024-10-14."},{"key":"e_1_3_3_1_63_2","unstructured":"yangzongzhuan. 2018. RuoYi. https:\/\/github.com\/yangzongzhuan\/RuoYi. Accessed: 2024-10-14."},{"key":"e_1_3_3_1_64_2","unstructured":"Yadong Zhang. 2017. DBlog: A simple fast and powerful blog system based on Spring Boot. https:\/\/gitee.com\/yadong.zhang\/DBlog. Accessed: 2024-10-14."}],"event":{"name":"Internetware 2025: the 16th International Conference on Internetware","sponsor":["SIGSOFT ACM Special Interest Group on Artificial Intelligence"],"location":"Trondheim Norway","acronym":"Internetware 2025"},"container-title":["Proceedings of the 16th International Conference on Internetware"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3755881.3755895","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,27]],"date-time":"2025-10-27T11:53:47Z","timestamp":1761566027000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3755881.3755895"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,6,20]]},"references-count":63,"alternative-id":["10.1145\/3755881.3755895","10.1145\/3755881"],"URL":"https:\/\/doi.org\/10.1145\/3755881.3755895","relation":{},"subject":[],"published":{"date-parts":[[2025,6,20]]},"assertion":[{"value":"2025-10-27","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}