Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-2643

Session id should not be used

    XMLWordPrintable

    Details

    • Type: Vulnerability Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Remove this access of session id.
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Targeted languages:
      C#, Java, PHP
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      15min
    • Analysis Scope:
      Main Sources
    • Implementation details:
    • Common Rule:
      Yes
    • OWASP:
      A2

      Description

      A session id should not be used in application logs or as an identifier (in a cache, blacklist, &etc.) because its use could leave user sessions vulnerable to theft if the application is compromised in some other way.

      Noncompliant Code Example

      public void doGet(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException  {
        HttpSession session = request.getSession(false);
        String sessionId = session.getId();  // Noncompliant
      
        // ...
      }
      

      See

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            ann.campbell.2 Ann Campbell
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated: