1. Use a database for sessions.
2. Regenerate the session on when the permissions change (e.g., when a user logs in).
3. Regenerate the session on every page load (optional).
4. Don't expose the session ID in the URL.
5. Don't expose any sensitive data to the session.
6. Only use the session through secure transport, otherwise someone could sniff the cookie and hijack the session.
7. Expire your session after a reasonable amount of time.
In addition to VirtuosiMedia's list:
1. Use TLS (SSL) across the entire site. Use the HSTS header.
2. Use a session cookie, rather than adding a session token to every link-href and form-action.
3. Use the secure and httpOnly flags on the cookie.
4. Use the X-Frame-Options header.
5. Keep the content of the session minimal. E.g., store only the user-id. If caching is needed, cache in a general caching layer, not the session.
6 Cryptographically sign the session cookie with a secret key known only to the server. Include an expiration datetime in the signed data. Check the signature and the expiration at the server on every request.
2. Regenerate the session on when the permissions change (e.g., when a user logs in).
3. Regenerate the session on every page load (optional).
4. Don't expose the session ID in the URL.
5. Don't expose any sensitive data to the session.
6. Only use the session through secure transport, otherwise someone could sniff the cookie and hijack the session.
7. Expire your session after a reasonable amount of time.
In addition to VirtuosiMedia's list:
1. Use TLS (SSL) across the entire site. Use the HSTS header.
2. Use a session cookie, rather than adding a session token to every link-href and form-action.
3. Use the secure and httpOnly flags on the cookie.
4. Use the X-Frame-Options header.
5. Keep the content of the session minimal. E.g., store only the user-id. If caching is needed, cache in a general caching layer, not the session.
6 Cryptographically sign the session cookie with a secret key known only to the server. Include an expiration datetime in the signed data. Check the signature and the expiration at the server on every request.
No comments:
Post a Comment