# Session Cookies
In order to implement session cookies securely, cookies have to be secured and the Session Management needs to e implemented securely.
A07:2021# Background
# Context
A cookie should be hardened based on the following requirements by OWASP:
HttpOnly
: The cookie cannot be accessed on the client side (for example trough XSS attacks)Secure
: The cookie will only be attached if its a HTTPS requestSameSite
: Defines whether the cookie is send in Cross-Site requests or notDomain
: Used to restrict the cookie for certain sub domainsPath
: Can restrict the access of the cookie for certain pathsMax-age
/Expires
: Sets when a cookie is deleted
# Problems
- Above requirements need to be implemented and configured for the corresponding web application
- Session management also needs to be considered (creation of session ID, timeouts, storage of session information)
# Solution
- Usage of libraries or framework native implementations
# Technology
# Express
In Express the library cookie-session (opens new window) should be used.
- The cookie should be renamed from
express:sess
into something generic like sessionID - Cookies are only protected with
secure
andHttpOnly
- Uses SHA1 per default, should be changed to for example SHA256 (see this code example (opens new window))
# Spring Boot
Spring Security adds session cookies to Spring Boot applications per default.
- The cookie should also be renamed from
JSESSIONID
to a more generic name HttpOnly
is set to trueSecure
defaults to false- Session ID is a version four UUID and therefore secure