Confirmed users
133
edits
Security/FirefoxOperations: Difference between revisions
Updated SameSite cookie recommendations
No edit summary |
(Updated SameSite cookie recommendations) |
||
| Line 147: | Line 147: | ||
* Store session keys server side (typically in a db) so that they can be revoked immediately. | * Store session keys server side (typically in a db) so that they can be revoked immediately. | ||
* Session keys must be changed on login to prevent session fixation attacks. | * Session keys must be changed on login to prevent session fixation attacks. | ||
* Session cookies must have HttpOnly and Secure flags set and the SameSite attribute set to 'strict'. | * Session cookies must have HttpOnly and Secure flags set and the SameSite attribute set to 'strict' or 'lax' (which allows external regular links to login). | ||
* For more information about potential pitfalls see the [OWASP Session Management Cheat Sheet](https://www.owasp.org/index.php/Session_Management_Cheat_Sheet) | * For more information about potential pitfalls see the [OWASP Session Management Cheat Sheet](https://www.owasp.org/index.php/Session_Management_Cheat_Sheet) | ||
* [ ] Access Control should be via existing and well regarded frameworks. If you really do need to roll your own then contact the security team for a design and implementation review. | * [ ] Access Control should be via existing and well regarded frameworks. If you really do need to roll your own then contact the security team for a design and implementation review. | ||