Web Security Workbook

# Session Cookies

In order to implement session cookies securely, cookies have to be secured and the Session Management needs to e implemented securely.

A07:2021

# Background

# Context

A cookie should be hardened based on the following requirements by OWASP:

  • HttpOnly: The cookie cannot be accessed on the client side (for example trough XSS attacks)
  • Secure: The cookie will only be attached if its a HTTPS request
  • SameSite: Defines whether the cookie is send in Cross-Site requests or not
  • Domain: Used to restrict the cookie for certain sub domains
  • Path: Can restrict the access of the cookie for certain paths
  • Max-age/Expires: Sets when a cookie is deleted

# Problems

  • Above requirements need to be implemented and configured for the corresponding web application
  • Session management also needs to be considered (creation of session ID, timeouts, storage of session information)

# Solution

  • Usage of libraries or framework native implementations

# Technology

# Express

In Express the library cookie-session (opens new window) should be used.

  • The cookie should be renamed from express:sess into something generic like sessionID
  • Cookies are only protected with secure and HttpOnly
  • Uses SHA1 per default, should be changed to for example SHA256 (see this code example (opens new window))

# Spring Boot

Spring Security adds session cookies to Spring Boot applications per default.

  • The cookie should also be renamed from JSESSIONID to a more generic name
  • HttpOnly is set to true
  • Secure defaults to false
  • Session ID is a version four UUID and therefore secure
Last Updated: 7/3/2022, 3:51:46 PM

General Information