Home > taxonomy > asvs 4.0.3 > 03 session management > 02 session binding

Session Binding

V3.2.1

Verify the application generates a new session token on user authentication. (C6)

Level 1 required: True

Level 2 required: True

Level 3 required: True

CWE: 384

V3.2.2

Verify that session tokens possess at least 64 bits of entropy. (C6)

Level 1 required: True

Level 2 required: True

Level 3 required: True

CWE: 331

V3.2.3

Verify the application only stores session tokens in the browser using secure methods such as appropriately secured cookies (see section 3.4) or HTML 5 session storage.

Level 1 required: True

Level 2 required: True

Level 3 required: True

CWE: 539

V3.2.4

Verify that session tokens are generated using approved cryptographic algorithms. (C6)

Level 1 required: False

Level 2 required: True

Level 3 required: True

CWE: 331

Disclaimer:

Credit via OWASP ASVS. For more information visit The OWASP ASVS Project or Github respository.. OWASP ASVS is under the Creative Commons Attribution-Share Alike v3.0 license.

View source on GitHub