Cornucopia - Ecommerce Website - SM 5

Suit: Session management

Card/Value: 5

Description:
John can predict or guess session identifiers because they are not changed when the user's role alters (e.g. pre and post authentication) and when switching between non-encrypted and encrypted communications, or are not sufficiently long and random, or are not changed periodically.

Technical Note:
Ensure the following occur:
 * Ensure sufficiently long and random session identifiers are used
 * Generate a new session identifier:
 * If a session was established before login, and successful login has occurred
 * When changing from HTTP to HTTPS
 * When re-authenticating
 * Periodically otherwise.

See SM 7 for session termination on logging out.

References:
« Previous Card | Session management | Next Card »