CheatSheetSeries icon indicating copy to clipboard operation
CheatSheetSeries copied to clipboard

Published 20 hours ago verified publisher icon OWASP

Update: Session Management - caching guidelines

Open SnowdenWintermute opened this issue 4 months ago • 2 comments

In the Web Content Caching section it says:

"Independently of the cache policy defined by the web application, if caching web application contents is allowed, the session IDs must never be cached, so it is highly recommended to use the Cache-Control: no-cache="Set-Cookie, Set-Cookie2" directive, to allow web clients to cache everything except the session ID (see here)."

But I am confused because MDN says (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control)

"Note that no-cache does not mean "don't cache". no-cache allows caches to store a response but requires them to revalidate it before reuse. If the sense of "don't cache" that you want is actually "don't store", then no-store is the directive to use."

So does this mean we should be using sending the no-store directive with any response from our server which includes a header of set-cookie: sessionid=someid?

SnowdenWintermute avatar Sep 29 '24 12:09 SnowdenWintermute