MID-073: Secure HTTP Session Management

Mitigation Tier: Foundational

Description

The web application should use session tokens or IDs to manage each authenticated user session. Core requirements for secure session management include:

• Sessions tokens should be implemented using a trusted web framework to ensure that tokens are correctly assigned, enforced, tracked, and maintained to ensure that they keep their integrity and provide all necessary security guarantees.

• Each session should be associated with a unique and non-predictable session IDs, which includes sufficient entropy to prevent guessing and is totally decoupled from and unrelated to any inherent user information.

• Session IDs should be protected against leakage. HTTP Cookies provide multiple ways to prevent leakage, including the HTTPOnly, SameSite, Domain and Path information, expiration, and max-age secure attributes.

IEC 62443 4-2 Mappings

• CR 3.8 – Session integrity

References

[1] OWASP. “Session Management Cheat Sheet.” owasp.org. Accessed: Aug. 28, 2024. [Online.] Available: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html

MID-073