search

OWASP / CheatSheetSeries

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
https://cheatsheetseries.owasp.org
Creative Commons Attribution Share Alike 4.0 International
27.71k stars 3.88k forks source link

Update: Session Management - caching guidelines #1499

Open SnowdenWintermute opened 2 hours ago

SnowdenWintermute commented 2 hours ago

In the Web Content Caching section it says:

"Independently of the cache policy defined by the web application, if caching web application contents is allowed, the session IDs must never be cached, so it is highly recommended to use the Cache-Control: no-cache="Set-Cookie, Set-Cookie2" directive, to allow web clients to cache everything except the session ID (see here)."

But I am confused because MDN says (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control)

"Note that no-cache does not mean "don't cache". no-cache allows caches to store a response but requires them to revalidate it before reuse. If the sense of "don't cache" that you want is actually "don't store", then no-store is the directive to use."

So does this mean we should be using sending the no-store directive with any response from our server which includes a header of set-cookie: sessionid=someid?

jmanico commented 2 hours ago

I think sending no-store is also a good idea and will not harm the cookie flow at all.