Confirmed users
81
edits
WebAppSec/Secure Coding Guidelines: Difference between revisions
WebAppSec/Secure Coding Guidelines (view source)
Revision as of 12:57, 20 April 2012
, 20 April 2012→Session Management
(Pls email me to discuss - Undo revision 357366 by Yorickpeterse (talk)) |
|||
| Line 139: | Line 139: | ||
===HTTP-Only Flag=== | ===HTTP-Only Flag=== | ||
The "HTTP-Only" flag should be set to disable malicious script access to the session ID (e.g. XSS) | The "HTTP-Only" flag should be set to disable malicious script access to the session ID (e.g. XSS) | ||
===Login=== | |||
New session IDs should be created on login (to prevent session fixation via XSS on sibling domains or subdomains). | |||
===Logout=== | ===Logout=== | ||
Upon logout the session ID should be invalidated on the server side and deleted on the client via expiration/overwriting the value. | Upon logout the session ID should be invalidated on the server side and deleted on the client via expiration/overwriting the value. | ||