This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Talk:Session Management Cheat Sheet

Jump to: navigation, search

I'm in the process of reviewing and working on some session management and came across your cheat sheet. I think you should consider dropping the section, "Session ID Name Fingerprinting". My reason, is that I don't believe it's very practical advice for most people. The session identifiers like, "JSESSIONID" are dictated by industry standards and driven by implementation. Perhaps you have another point your trying to make but I missed it. By the way, I like your session management cheat sheet and consider it a valuable resource for all developers.