This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Cornucopia - Ecommerce Website - SM 5

From OWASP
Jump to: navigation, search
Cornucopia - Ecommerce Website SM 5.png

Suit: Session management

Card/Value: 5

Description:

John can predict or guess session identifiers because they are not changed when the user's role alters (e.g. pre and post authentication) and when switching between non-encrypted and encrypted communications, or are not sufficiently long and random, or are not changed periodically.

Technical Note:

Ensure the following occur:

  • Ensure sufficiently long and random session identifiers are used
  • Generate a new session identifier:
    • If a session was established before login, and successful login has occurred
    • When changing from HTTP to HTTPS
    • When re-authenticating
    • Periodically otherwise.

See SM 7 for session termination on logging out.

References:

OWASP SCP OWASP ASVS OWASP AppSensor CAPEC SAFECODE
60 3.2 SE4 31 28
62 3.7 SE5
66 3.8 SE6
67 3.11
71
72


« Previous Card | Session management | Next Card »