Cornucopia - Ecommerce Website - SM 5
Suit: Session management
John can predict or guess session identifiers because they are not changed when the user's role alters (e.g. pre and post authentication) and when switching between non-encrypted and encrypted communications, or are not sufficiently long and random, or are not changed periodically.
Ensure the following occur:
- Ensure sufficiently long and random session identifiers are used
- Generate a new session identifier:
- If a session was established before login, and successful login has occurred
- When changing from HTTP to HTTPS
- When re-authenticating
- Periodically otherwise.
See SM 7 for session termination on logging out.
|OWASP SCP||OWASP ASVS||OWASP AppSensor||CAPEC||SAFECODE|