Mitigation-page

MID-073: Secure HTTP Session Management

Mitigation Tier: Foundational

Description

The web application should use session tokens or IDs to manage each authenticated user session. Core requirements for secure session management include:

  • Sessions tokens should be implemented using a trusted web framework to ensure that tokens are correctly assigned, enforced, tracked, and maintained to ensure that they keep their integrity and provide all necessary security guarantees.

  • Each session should be associated with a unique and non-predictable session IDs, which includes sufficient entropy to prevent guessing and is totally decoupled from and unrelated to any inherent user information.

  • Session IDs should be protected against leakage. HTTP Cookies provide multiple ways to prevent leakage, including the HTTPOnly, SameSite, Domain and Path information, expiration, and max-age secure attributes.

IEC 62443 4-2 Mappings

  • CR 3.8 – Session integrity

References

[1] OWASP. “Session Management Cheat Sheet.” owasp.org. Accessed: Aug. 28, 2024. [Online.] Available: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html