Menu Icon

Cobalt Vulnerability Wiki

Cobalt Vulnerability Wiki

Categories

Toggle Arrow IconV2 - AuthenticationToggle Arrow IconV3 - Session Management
Insecure Storage of JWT Token JWT token over URL (GET method) Old Session do not invalidate after logout Old Session do not invalidate after password changePassword Link Expiration Errors Password Reset Token Sent Over HTTPSession Fixation for Concurrent SessionsSession Fixation for the Same AccountSession Timeout is Too Long Session token predictable / low entropy
Toggle Arrow IconV4 - Access ControlToggle Arrow IconV5 - Validation/SanitizationToggle Arrow IconV6 - CryptographyToggle Arrow IconV7 - Error LoggingToggle Arrow IconV8 - Data ProtectionToggle Arrow IconV9 - CommunicationsToggle Arrow IconV10 - Malicious CodeToggle Arrow IconV11 - Business LogicToggle Arrow IconV12 - Files ResourcesToggle Arrow IconV13 - APIToggle Arrow IconV14 - Config
Arrow Left

V3 - Session Management

One of the core components of any web-based application or stateful API is the mechanism by which it controls and maintains the state for a user or device interacting with it. Session management changes a stateless protocol to stateful, which is critical for differentiating different users or devices.


Ensure that a verified application satisfies the following high-level session management requirements:


• Sessions are unique to each individual and cannot be guessed or shared.


• Sessions are invalidated when no longer required and timed out during periods of inactivity.


As previously noted, these requirements have been adapted to be a compliant subset of selected NIST 800-63b controls, focused around common threats and commonly exploited authentication weaknesses. Previous verification requirements have been retired, de-duped, or in most cases adapted to be strongly aligned with the intent of mandatory NIST 800-63b requirements.


Ready to get started?

our platformschedule a demo
Aircall logoAlgolia logoCangageCredit KarmaDattoEgnyteHubspotMovinimageMulesoftPendoSentaraSmarshSnowSolarisTalkdeskVerifoneKubraAxel SpringerNuna

Join some of these great clients we're proud to have helped