This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Cornucopia - Ecommerce Website - SM 8"
From OWASP
(Created page with "{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#98c477;">Cornucopia - Ecommerce Website - SM 8</span>}} File:Cornucopia_-_Ecommerce_Website_SM_8....") |
|||
Line 34: | Line 34: | ||
</tr> | </tr> | ||
</table> | </table> | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
Revision as of 16:21, 21 January 2016
Suit: Session management
Card/Value: 8
Description:
Matt can abuse long sessions because the application does not require periodic re-authentication to check if privileges have changed.
Technical Note:
A user's privileges may change during a session. If this information is also stored in session data, it will not reflect the changes. Consider forcing re-authentication.
See Authentication AT 9 for other re-authentication requirements.
References:
OWASP SCP | OWASP ASVS | OWASP AppSensor | CAPEC | SAFECODE |
---|---|---|---|---|
96 | - | - | 21 | 28 |