CheatSheetSeries icon indicating copy to clipboard operation
CheatSheetSeries copied to clipboard
verified publisher icon OWASP

Update: Session_Management_Cheat_Sheet

Open randomstuff opened this issue 2 years ago • 11 comments

What is missing or needs to be updated?

The session management cheat sheet lacks guidance regarding how to store and validate session token (and similar tokens) server-side:

  • store the session token server-side ;
  • store hash of the session token server-side ;
  • use (session_id, MAC-or-sign(session_id)) as cookie and store session_id server-side;
  • use session_id as cookie and store hash(session_id) server-side;
  • use (session_id, session_verifier) as cookie and store (session_id, hash(session_verifier)) server-side.

How should this be resolved?

randomstuff avatar Jun 23 '23 09:06 randomstuff

@randomstuff I am currently reading through the OWASP Cheat Sheet Series. Can I work on this? I have a few ideas on how to store and validate them.

R0h1t3 avatar Aug 07 '23 11:08 R0h1t3

Yes, please! This is all on GitHub and we take PR’s!

jmanico avatar Aug 07 '23 14:08 jmanico

@jmanico I am pretty new to GitHub contribution, so what should I do now? Should I clone the session management cheatsheet, make changes to it and give a pull request or what to do? Kindly guide me through.

R0h1t3 avatar Aug 08 '23 14:08 R0h1t3

Probably easiest way is to fork it, then clone THAT, make changes, commit, and push to your repo (vs the original upstream one) and then create a PR from your repo.

kwwall avatar Aug 08 '23 14:08 kwwall

See for example, "How to securely store and use session IDs" on Information Security Stack Exchange.

randomstuff avatar May 21 '24 07:05 randomstuff