41 lines
1.6 KiB
Plaintext
41 lines
1.6 KiB
Plaintext
== Why is this an issue?
|
|
|
|
Cookies without fixed lifetimes or expiration dates are known as non-persistent, or "session" cookies, meaning they last only as long as the browser session, and poof away when the browser closes. Cookies with expiration dates, "persistent" cookies, are stored/persisted until those dates.
|
|
|
|
|
|
Non-persistent cookies should be used for the management of logged-in sessions on web sites. To make a cookie non-persistent, simply omit the ``++expires++`` attribute.
|
|
|
|
|
|
This rule raises an issue when ``++expires++`` is set for a session cookie, either programmatically or via configuration, such as ``++session.cookie_lifetime++``.
|
|
|
|
== Resources
|
|
|
|
* OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)]
|
|
* https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#expire-and-max-age-attributes[OWASP, Session Management Cheat Sheet] - Expire and Max-Age Attributes
|
|
* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#COOKIE_PERSISTENT[COOKIE_PERSISTENT]
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
* Pass "0" as first argument.
|
|
* Configure "session.cookie_lifetime" to 0.
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== on 1 Sep 2015, 08:00:50 Linda Martin wrote:
|
|
LGTM!
|
|
|
|
=== on 15 Sep 2015, 21:15:49 Evgeny Mandrikov wrote:
|
|
IMO from an implementation point of view this RSPEC is underspecified, so removing targeting for ``{cpp}`` for now.
|
|
|
|
endif::env-github,rspecator-view[]
|