SCP04 Session Management
What this means
SiteShadow flagged session handling patterns that can enable hijacking, fixation, or unintended persistence (missing cookie flags, long-lived sessions, weak rotation, sessions not invalidated on logout).
Why it matters
Weak session handling leads to hijacking or fixation.
- Session hijacking via stolen cookies (XSS, logs, insecure transport).
- Session fixation when session identifiers aren't rotated on login (see
CWE-384). - Persistent compromise when sessions don't expire or aren't revoked.
Safer examples
1) Use secure cookie attributes
Set HttpOnly, Secure, and SameSite for session cookies (see CWE-614 / S02).
2) Rotate session IDs on privilege changes
Rotate on login and after step-up auth; invalidate older sessions.
3) Keep sessions short-lived and revocable
Use idle + absolute timeouts; provide server-side revocation for logout and password changes.
How SiteShadow detects it (high level)
- Detects insecure cookie/session configurations and long-lived session patterns.
- Flags missing rotation/invalidation around login/logout and privilege changes.
References
- OWASP Secure Coding Practices: https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/
---