16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
41 lines
1.6 KiB
Plaintext
41 lines
1.6 KiB
Plaintext
== Why is this an issue?
|
|
|
|
Cookies without fixed lifetimes or expiration dates are known as non-persistent, or "session" cookies, meaning they last only as long as the browser session, and poof away when the browser closes. Cookies with expiration dates, "persistent" cookies, are stored/persisted until those dates.
|
|
|
|
|
|
Non-persistent cookies should be used for the management of logged-in sessions on web sites. To make a cookie non-persistent, simply omit the ``++expires++`` attribute.
|
|
|
|
|
|
This rule raises an issue when ``++expires++`` is set for a session cookie, either programmatically or via configuration, such as ``++session.cookie_lifetime++``.
|
|
|
|
== Resources
|
|
|
|
* https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS)
|
|
* https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#expire-and-max-age-attributes[OWASP, Session Management Cheat Sheet] - Expire and Max-Age Attributes
|
|
* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#COOKIE_PERSISTENT[COOKIE_PERSISTENT]
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
* Pass "0" as first argument.
|
|
* Configure "session.cookie_lifetime" to 0.
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== on 1 Sep 2015, 08:00:50 Linda Martin wrote:
|
|
LGTM!
|
|
|
|
=== on 15 Sep 2015, 21:15:49 Evgeny Mandrikov wrote:
|
|
IMO from an implementation point of view this RSPEC is underspecified, so removing targeting for ``{cpp}`` for now.
|
|
|
|
endif::env-github,rspecator-view[]
|