Cookies are an essential part of any web application; they are used for many purposes, including user authentication. A cookie is a small piece of data that is set by a web server's response that is stored for a certain period of time on the client's computer. After a cookie has been is set, all of the information within is sent in all subsequent requests to the cookie domain. Consequently, the information within a cookie is insecure; it is vulnerable to cross-site scripting (XSS) and man-in-the-middle attacks (among others). Servers must ensure that cookies lack excess or sensitive information about users. A partial list of such information includes user names, passwords, password hashes, credit cards, and any personally identifiable information about the user.
...
| Wiki Markup |
|---|
This solution also invalidates the current session and creates a new session to avoid session fixation attacks; see \[SD:OWASP 2009\]. The solution also reduces the window in which an attacker could perform a session hijacking attack by setting the session timeout to one. |
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c1284a4b84838224-401d5863-4be142f0-83c1a405-eb5a61df74c644a35804f606"><ac:plain-text-body><![CDATA[ | [java:[MITRE 2009 | AA. References#MITRE 09]] | [CWE-539 | http://cwe.mitre.org/data/definitions/539.html] "Information Exposure Through through Persistent Cookies" | ]]></ac:plain-text-body></ac:structured-macro> |
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="683b531ea6ebe597-23bfdf89-44434610-b8c3bb70-396c008822b3cb4ebe15606d"><ac:plain-text-body><![CDATA[ | [SD:OWASP 2009] | [Session Fixation in Java | http://www.owasp.org/index.php/Session_Fixation_in_Java] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="79840dce8cb6b3c8-5b521dbd-47e344d7-83f69dd2-7fb837c7d907e61a34024bcd"><ac:plain-text-body><![CDATA[ | [SD:OWASP 2010] | [Cross-site Scripting | http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="18a65410325bce04-804e81c9-46754fee-968c9bd3-61e0a13bf8a8207c46172b92"><ac:plain-text-body><![CDATA[ | [SD:Oracle 2010] | [javax.servlet.http Package API | http://download.oracle.com/javaee/6/api/javax/servlet/http/package-summary.html] | ]]></ac:plain-text-body></ac:structured-macro> |
...