Home >> Taxonomy >> Asvs 4.0.3 >> 03 session management >> 04 cookie based session management

Cookie-based Session Management

V3.4.1

Verify that cookie-based session tokens have the 'Secure' attribute set. (C6)

Level 1 required: True

Level 2 required: True

Level 3 required: True

CWE: 614

V3.4.2

Verify that cookie-based session tokens have the 'HttpOnly' attribute set. (C6)

Level 1 required: True

Level 2 required: True

Level 3 required: True

CWE: 1004

V3.4.3

Verify that cookie-based session tokens utilize the 'SameSite' attribute to limit exposure to cross-site request forgery attacks. (C6)

Level 1 required: True

Level 2 required: True

Level 3 required: True

CWE: 1275

V3.4.4

Verify that cookie-based session tokens use the "__Host-" prefix so cookies are only sent to the host that initially set the cookie.

Level 1 required: True

Level 2 required: True

Level 3 required: True

CWE: 16

V3.4.5

Verify that if the application is published under a domain name with other applications that set or use session cookies that might disclose the session cookies, set the path attribute in cookie-based session tokens using the most precise path possible. (C6)

Level 1 required: True

Level 2 required: True

Level 3 required: True

CWE: 16

Disclaimer:

Credit via OWASP ASVS. For more information visit The OWASP ASVS Project or Github respository.. OWASP ASVS is under the Creative Commons Attribution-Share Alike v3.0 license.

View source on GitHub

Loading comments 0%