MID-073: Secure HTTP Session Management
Mitigation Tier: Foundational
Description
The web application should use session tokens or IDs to manage each authenticated user session. Core requirements for secure session management include:
Sessions tokens should be implemented using a trusted web framework to ensure that tokens are correctly assigned, enforced, tracked, and maintained to ensure that they keep their integrity and provide all necessary security guarantees.
Each session should be associated with a unique and non-predictable session IDs, which includes sufficient entropy to prevent guessing and is totally decoupled from and unrelated to any inherent user information.
Session IDs should be protected against leakage. HTTP Cookies provide multiple ways to prevent leakage, including the HTTPOnly, SameSite, Domain and Path information, expiration, and max-age secure attributes.
IEC 62443 4-2 Mappings
- CR 3.8 – Session integrity
References
[1] OWASP. “Session Management Cheat Sheet.” owasp.org. Accessed: Aug. 28, 2024. [Online.] Available: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html