4
edits
WebAppSec/Secure Coding Guidelines: Difference between revisions
WebAppSec/Secure Coding Guidelines (view source)
Revision as of 16:26, 2 October 2011
, 2 October 2011→Inactivity Time Out
m (→Migration) |
|||
| Line 124: | Line 124: | ||
The session tokens should be handled by the web server if possible or generated via a cryptographically secure random number generator. | The session tokens should be handled by the web server if possible or generated via a cryptographically secure random number generator. | ||
===Inactivity Time Out=== | ===Inactivity Time Out=== | ||
Authenticated sessions should timeout after determined period of inactivity - 15 minutes is recommended | Authenticated sessions should timeout after determined period of inactivity - 15 minutes is recommended. | ||
===Secure Flag=== | ===Secure Flag=== | ||
The "Secure" flag should be set during every set-cookie. This will instruct the browser to never send the cookie over HTTP. The purpose of this flag is to prevent the accidental exposure of a cookie value if a user follows an HTTP link. | The "Secure" flag should be set during every set-cookie. This will instruct the browser to never send the cookie over HTTP. The purpose of this flag is to prevent the accidental exposure of a cookie value if a user follows an HTTP link. | ||