This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Cornucopia - Ecommerce Website - SM 3"
(Created page with "{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#98c477;">Cornucopia - Ecommerce Website - SM 3</span>}} File:Cornucopia_-_Ecommerce_Website_SM_3....") |
|||
Line 34: | Line 34: | ||
</tr> | </tr> | ||
</table> | </table> | ||
− | |||
− | |||
− | |||
− | |||
− | |||
Latest revision as of 16:20, 21 January 2016
Suit: Session management
Card/Value: 3
Description:
Ryan can use a single account in parallel since concurrent sessions are allowed.
Technical Note:
In some ecommerce applications it may be desirable to allow customers to be logged in using multiple browsers/devices. However that would be unusual for administrative users, or users of more sensitive data. Even if concurrent sessions are allowed. consider what should occur in other sessions when a user changes their password, or changes their delivery address, or logs out, or times out, or authentication failure occurs.
NB: This card relates to concurrent sessions created by authenticating more than once in different browsers/devices. See SM 6 for using the same session identifier in concurrent sessions.
References:
OWASP SCP | OWASP ASVS | OWASP AppSensor | CAPEC | SAFECODE |
---|---|---|---|---|
68 | 3.16 | - | - | 28 |