This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Cornucopia - Ecommerce Website - SM 6

Revision as of 14:49, 21 January 2016 by Dariodf (talk | contribs) (Created page with "{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#98c477;">Cornucopia - Ecommerce Website - SM 6</span>}} File:Cornucopia_-_Ecommerce_Website_SM_6....")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Cornucopia - Ecommerce Website SM 6.png

Suit: Session management

Card/Value: 6


Gary can take over a user's session because there is a long or no inactivity timeout, or a long or no overall session time limit, or the same session can be used from more than one device/location.

Technical Note:

There should be a session inactivity timeout that is as short as possible, based on balancing risk and business functional requirements. This could be role-dependent. Additionally disallow persistent logins and enforce periodic session terminations (e.g. after 8 or 12 hours), even when the session is active, especially for applications supporting rich network connections or connecting to critical systems. Termination times should support business requirements and the user should receive sufficient notification to mitigate negative impacts.

NB: This card primarily relates to session timeout, but also includes using the same session identifier in concurrent sessions. See SM 3 for concurrent sessions created by authenticating more than once in different browsers/devices.


64 3.3 SE5 21 28
65 3.16 SE6

« Previous Card | Session management | Next Card »