Session Setting

ID

ruby.checksessionsettings

Severity

low

Resource

Session Setting

Language

Ruby

Description

This vulnerability occurs when sessions are configured insecurely, leading to potential session hijacking or fixation attacks. Improper session management can result in unauthorized access to sensitive information.

Rationale

Checks for session key length and http_only settings

Remediation

To secure cookies in web applications, implement the following practices:

  1. Use the Secure Attribute: Always set the Secure attribute on cookies if your application supports HTTPS. This ensures cookies are only sent over secure channels.

  2. Set the HttpOnly Attribute: Apply the HttpOnly attribute to cookies that store sensitive data, preventing access from client-side scripts and mitigating XSS risks.

  3. Avoid Storing Sensitive Data in Cookies: Encrypt any sensitive data stored in cookies and, where possible, avoid storing information like passwords or sensitive session data directly.

  4. Manage Cookie Expirations Wisely: Use session cookies rather than persistent ones for sensitive information, ensuring they expire appropriately and reduce the risk of exploitation.

  5. Regularly Audit Cookie Usage: Review cookies in use on your website to ensure best practices are consistently applied.

Configuration

This detector does not need any configuration.

References

  • CWE-315 : Cleartext Storage of Sensitive Information in a Cookie.

  • CWE-539 : Use of Persistent Cookies Containing Sensitive Information.

  • CWE-614 : Insufficient Session Expiration.

  • CWE-1004 : Sensitive Cookie without 'HttpOnly' Flag.

  • CWE-1275 : Sensitive Cookie with Improper 'SameSite' Attribute.

  • OWASP - Top 10 2021 Category A05 : Security Misconfiguration.