30 lines
1.3 KiB
Plaintext
30 lines
1.3 KiB
Plaintext
Cookies without fixed lifetimes or expiration dates are known as non-persistent, or "session" cookies, meaning they last only as long as the browser session, and poof away when the browser closes. Cookies with expiration dates, "persistent" cookies, are stored/persisted until those dates.
|
|
|
|
|
|
Non-persistent cookies should be used for the management of logged-in sessions on web sites. To make a cookie non-persistent, simply omit the ``++expires++`` attribute.
|
|
|
|
|
|
This rule raises an issue when ``++expires++`` is set for a session cookie, either programmatically or via configuration, such as ``++session.cookie_lifetime++``.
|
|
|
|
== See
|
|
|
|
* https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS)
|
|
* https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#expire-and-max-age-attributes[OWASP, Session Management Cheat Sheet] - Expire and Max-Age Attributes
|
|
* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#COOKIE_PERSISTENT[COOKIE_PERSISTENT]
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::message.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|