22 lines
649 B
Plaintext
22 lines
649 B
Plaintext
A session id should not be used in application logs or as an identifier (in a cache, blacklist, &etc.) because its use could leave user sessions vulnerable to theft if the application is compromised in some other way.
|
|
|
|
|
|
== Noncompliant Code Example
|
|
|
|
[source,text]
|
|
----
|
|
public void doGet(HttpServletRequest request, HttpServletResponse response)
|
|
throws ServletException, IOException {
|
|
HttpSession session = request.getSession(false);
|
|
String sessionId = session.getId(); // Noncompliant
|
|
|
|
// ...
|
|
}
|
|
----
|
|
|
|
|
|
== See
|
|
|
|
* https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[OWASP Top 10 2017 Category A2] - Broken Authentication
|
|
|