This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Cornucopia - Ecommerce Website - SM 9
From OWASP
Suit: Session management
Card/Value: 9
Description:
Ivan can steal session identifiers because they are sent over insecure channels, or are logged, or are revealed in error messages, or are included in URLs, or are accessible unnecessarily by code which the attacker can influence or alter.
Technical Note:
Protect session identifiers as if they are account credentials. For HTTP cookies:
- Set cookies with the HttpOnly attribute, unless you specifically require client-side scripts within your application to read or set a cookie's value.
- Set the 'secure' attribute for cookies transmitted over an TLS connection.
- Consider making the whole ecommerce website 'SSL-only', adding the HTTP Strict Transport Security (HSTS) header and adding the domain to web browser pre-load lists.
References:
| OWASP SCP | OWASP ASVS | OWASP AppSensor | CAPEC | SAFECODE |
|---|---|---|---|---|
| 69 | 3.6 | SE4 | 31 | 28 |
| 75 | 3.14 | SE5 | 60 | |
| 76 | 3.15 | SE6 | ||
| 119 | 8.10 | |||
| 138 | 10.3 |
