[RSPEC-2643] Session id should not be used - SonarSource

XML

Word

Printable

Details

Type: Vulnerability Detection
Status: Active
Resolution: Unresolved
Labels:
- owasp-a2

Message:
Remove this access of session id.
Default Severity:
Critical
Impact:
High
Likelihood:
Low
Targeted languages:

C#, Java, PHP
Remediation Function:
Constant/Issue
Constant Cost:
15min
Analysis Scope:

Main Sources
Implementation details:
- java-top
Common Rule:

Yes

OWASP:
A2

Description

A session id should not be used in application logs or as an identifier (in a cache, blacklist, &etc.) because its use could leave user sessions vulnerable to theft if the application is compromised in some other way.

Noncompliant Code Example

public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException  {
  HttpSession session = request.getSession(false);
  String sessionId = session.getId();  // Noncompliant

  // ...
}

See

OWASP Top 10 2017 Category A2 - Broken Authentication

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Ann Campbell

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 24/Feb/15 7:00 PM

Updated:: 07/May/19 10:12 AM