Cornucopia - Ecommerce Website - SM 9

Suit: Session management

Card/Value: 9

Description:
Ivan can steal session identifiers because they are sent over insecure channels, or are logged, or are revealed in error messages, or are included in URLs, or are accessible unnecessarily by code which the attacker can influence or alter.

Technical Note:
Protect session identifiers as if they are account credentials. For HTTP cookies:
 * Set cookies with the HttpOnly attribute, unless you specifically require client-side scripts within your application to read or set a cookie's value.
 * Set the 'secure' attribute for cookies transmitted over an TLS connection.
 * Consider making the whole ecommerce website 'SSL-only', adding the HTTP Strict Transport Security (HSTS) header and adding the domain to web browser pre-load lists.

References:
« Previous Card | Session management | Next Card »