Cornucopia - Ecommerce Website - SM 5
From OWASP
Suit: Session management
Card/Value: 5
Description:
John can predict or guess session identifiers because they are not changed when the user's role alters (e.g. pre and post authentication) and when switching between non-encrypted and encrypted communications, or are not sufficiently long and random, or are not changed periodically.
Technical Note:
Ensure the following occur:
- Ensure sufficiently long and random session identifiers are used
- Generate a new session identifier:
- If a session was established before login, and successful login has occurred
- When changing from HTTP to HTTPS
- When re-authenticating
- Periodically otherwise.
See SM 7 for session termination on logging out.
References:
| OWASP SCP | OWASP ASVS | OWASP AppSensor | CAPEC | SAFECODE |
|---|---|---|---|---|
| 60 | 3.2 | SE4 | 31 | 28 |
| 62 | 3.7 | SE5 | ||
| 66 | 3.8 | SE6 | ||
| 67 | 3.11 | |||
| 71 | ||||
| 72 |
