Date: Fri, 29 Mar 2024 13:39:06 +0000 (UTC) Message-ID: <115263019.7.1711719546139@c3ecdfa089dd> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_6_1307848999.1711719546139" ------=_Part_6_1307848999.1711719546139 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Is the session management implemented with certain standard components o= r services? Then reference them here.
The session management MUST be based on the standard implementation of t= he application server or web container.
Session IDs MUST be
at least 120 bit strong,
generated with a cryptographically secure pseudorandom number generator = (CSPRNG) and be completely random,
transferred encrypted (via TLS/HTTPS) on insecure networks
renewed after every successful user authentication,
NOT be transmitted in URLs.
Session cookies MUST be restricted in respect of their validity:<= /p>
Set both security attributes =E2=80=9EhttpOnly
=E2=80=9D, =
=E2=80=9Esecure
=E2=80=9D and =E2=80=9ESameSite
=E2=
=80=9D
Avoid persistent cookies (don=E2=80=99t set expire attribute)
Set a path attribute to the base URL in case multiple applications are o= perated on the same system.
Authenticated server-side sessions:
MUST be invalidated after a user has been logged-in successfully,
MUST be invalidated after an authenticated user has been idle for more t= han 30 minutes (idle or soft logout),
SHOULD be invalidated after a user session has been active more than 24 = hours,
SHOULD only exist once per user. When a user logs on, all existing sessi= on object of this user SHOULD be invalidated.
All state-changing operations (create, update, delete) on an authenticat= ed user session MUST be protected against session replay and Cross-site Req= uest Forgery (CSRF).
State-changing operations MUST be protected with a cryptographic random = replay token (e.g. as an additional Hidden Fields or as X-header) that is u= nique for the user session or a specific request and for instance.
State-changing operations MUST be denied if a CSRF token is invalid or m= issing.
If a web framework provides an own CSRF protection mechanism, then this = SHOULD be used.
State-changing operations MUST NOT be possible via HTTP GET.