This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "ASVS V3 Session Management"

From OWASP
Jump to: navigation, search
(Create v3)
 
(Fixing broken table and formatting.)
Line 1: Line 1:
# V3: Session Management Verification Requirements
+
== V3: Session Management Verification Requirements ==
  
## Control Objective
+
=== Control Objective ===
  
 
One of the core components of any web-based application is the mechanism by which it controls and maintains the state for a user interacting with it. This is referred to this as Session Management and is defined as the set of all controls governing state-full interaction between a user and the web-based application.
 
One of the core components of any web-based application is the mechanism by which it controls and maintains the state for a user interacting with it. This is referred to this as Session Management and is defined as the set of all controls governing state-full interaction between a user and the web-based application.
Line 10: Line 10:
 
* Sessions are invalidated when no longer required and timed out during periods of inactivity.
 
* Sessions are invalidated when no longer required and timed out during periods of inactivity.
  
 +
=== Security Verification Requirements ===
 +
{| class="wikitable"
 +
|-
 +
!# !!Description !!L1 !!L2 !!L3 !!Since
 +
|-
 +
| 3.2 || Verify that sessions are invalidated when the user logs out. || ✓ || ✓ || ✓ || 1.0
 +
|-
 +
| 3.3 || Verify that sessions timeout after a specified period of inactivity. ||  ||  || ✓ || 1.0
 +
|-
 +
| 3.4 || Verify that sessions timeout after an administratively-configurable maximum time period regardless of activity (an absolute timeout). ||  || ✓ || ✓ || 1.0
 +
|-
 +
| 3.5 || Verify that all pages that require authentication have easy and visible access to logout functionality. || ✓ || ✓ || ✓ || 1.0
 +
|-
 +
| 3.6 || Test that the session ID is never disclosed in URLs, error messages, or logs. This includes verifying that the application does not support URL rewriting of session cookies. ||  ||  || ✓ || 1.0
 +
|-
 +
| 3.7 || Verify that all successful authentication and re-authentication generates a new session and session id. || ✓ || ✓ || ✓ || 1.0
 +
|-
 +
| 3.10 || Verify that only session ids generated by the application framework are recognised as active by the application. ||  || ✓ || ✓ || 1.0
 +
|-
 +
| 3.11 || Test session IDs against criteria such as their randomness, uniqueness, resistance to statistical and cryptographic analysis and information leakage. || ✓ || ✓ || ✓ || 1.0
 +
|-
 +
| 3.12 || Verify that session IDs stored in cookies are scoped using the 'path' attribute; and have the 'HttpOnly' and 'Secure' cookie flags enabled. || ✓ || ✓ || ✓ || 3.0
 +
|-
 +
| 3.17 || Verify that the application tracks all active sessions. And allows users to terminate sessions selectively or globally from their account.  ||  || ✓ || ✓ || 3.0
 +
|-
 +
| 3.18 || Verify for high value applications that the user is prompted with the option to terminate all other active sessions after a successful change password process. ||  ||  || ✓ || 3.1
 +
|-
 +
| 3.1 || TBA || ✓ || ✓ || ✓ || 1.0
 +
|}
 +
#
  
## Security Verification Requirements
+
=== References ===
 
 
| # | Description | L1 | L2 | L3 | Since |
 
| --- | --- | --- | --- | -- | -- |
 
 
 
| **3.2** | Verify that sessions are invalidated when the user logs out. | ✓ | ✓ | ✓ | 1.0 |
 
| **3.3** | Verify that sessions timeout after a specified period of inactivity. |  |  | ✓ | 1.0 |
 
| **3.4** | Verify that sessions timeout after an administratively-configurable maximum time period regardless of activity (an absolute timeout). |  | ✓ | ✓ | 1.0 |
 
| **3.5** | Verify that all pages that require authentication have easy and visible access to logout functionality. | ✓ | ✓ | ✓ | 1.0 |
 
| **3.6** | Test that the session ID is never disclosed in URLs, error messages, or logs. This includes verifying that the application does not support URL rewriting of session cookies. |  |  | ✓ | 1.0 |
 
| **3.7** | Verify that all successful authentication and re-authentication generates a new session and session id. | ✓ | ✓ | ✓ | 1.0 |
 
| **3.10** | Verify that only session ids generated by the application framework are recognised as active by the application. |  | ✓ | ✓ | 1.0 |
 
| **3.11** | Test session IDs against criteria such as their randomness, uniqueness, resistance to statistical and cryptographic analysis and information leakage. | ✓ | ✓ | ✓ | 1.0 |
 
| **3.12** | Verify that session IDs stored in cookies are scoped using the 'path' attribute; and have the 'HttpOnly' and 'Secure' cookie flags enabled. | ✓ | ✓ | ✓ | 3.0 |
 
| **3.17** | Verify that the application tracks all active sessions. And allows users to terminate sessions selectively or globally from their account.  |  | ✓ | ✓ | 3.0 |
 
| **3.18** | Verify for high value applications that the user is prompted with the option to terminate all other active sessions after a successful change password process. |  |  | ✓ | 3.1 |
 
| **3.1** | TBA | ✓ | ✓ | ✓ | 1.0 |
 
 
 
 
 
## References
 
  
 
For more information, see also:
 
For more information, see also:

Revision as of 17:27, 3 January 2018

V3: Session Management Verification Requirements

Control Objective

One of the core components of any web-based application is the mechanism by which it controls and maintains the state for a user interacting with it. This is referred to this as Session Management and is defined as the set of all controls governing state-full interaction between a user and the web-based application.

Ensure that a verified application satisfies the following high level session management requirements:

  • Sessions are unique to each individual and cannot be guessed or shared
  • Sessions are invalidated when no longer required and timed out during periods of inactivity.

Security Verification Requirements

# Description L1 L2 L3 Since
3.2 Verify that sessions are invalidated when the user logs out. 1.0
3.3 Verify that sessions timeout after a specified period of inactivity. 1.0
3.4 Verify that sessions timeout after an administratively-configurable maximum time period regardless of activity (an absolute timeout). 1.0
3.5 Verify that all pages that require authentication have easy and visible access to logout functionality. 1.0
3.6 Test that the session ID is never disclosed in URLs, error messages, or logs. This includes verifying that the application does not support URL rewriting of session cookies. 1.0
3.7 Verify that all successful authentication and re-authentication generates a new session and session id. 1.0
3.10 Verify that only session ids generated by the application framework are recognised as active by the application. 1.0
3.11 Test session IDs against criteria such as their randomness, uniqueness, resistance to statistical and cryptographic analysis and information leakage. 1.0
3.12 Verify that session IDs stored in cookies are scoped using the 'path' attribute; and have the 'HttpOnly' and 'Secure' cookie flags enabled. 3.0
3.17 Verify that the application tracks all active sessions. And allows users to terminate sessions selectively or globally from their account. 3.0
3.18 Verify for high value applications that the user is prompted with the option to terminate all other active sessions after a successful change password process. 3.1
3.1 TBA 1.0

References

For more information, see also:

Retrieved from "https://wiki.owasp.org/index.php?title=ASVS_V3_Session_Management&oldid=236554"