Closed Sjord closed 7 years ago
sushi2k
commented
7 years ago Thanks for bringing this up. Just made a PR: https://github.com/OWASP/owasp-masvs/pull/94 Requirement 4.3 is new and 4.2 was slightly changed. So classical session management and stateless authentication is covered. What do you guys think? @b-mueller @Sjord
jmanico
commented
7 years ago Isn't the whole point of signed JWT's to avoid the need of a session and contain all data needed to verify a claim?
-- Jim Manico
On Jun 13, 2017, at 4:45 AM, Sven notifications@github.com wrote:
Thanks for bringing this up. Just made a PR: #94 What do you guys think? @b-mueller @Sjord
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.
sushi2k
commented
7 years ago @jmanico Yes, that's why we were proposing to split requirement 4.2 into two requirements which will be a redefined requirement 4.2 (classic session management) and a new requirements 4.3 (stateless authentication).
Check the PR: https://github.com/OWASP/owasp-masvs/pull/94/files
jmanico
commented
7 years ago Awesome!
-- Jim Manico @Manicode Secure Coding Education +1 (808) 652-3805
On Jun 13, 2017, at 9:08 AM, Sven notifications@github.com wrote:
@jmanico Yes, that's why we were proposing to split requirement 4.2 into two requirements which will be a redefined requirement 4.2 (classic session management) and a new requirements 4.3 (stateless authentication).
Check the PR: https://github.com/OWASP/owasp-masvs/pull/94/files
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.
sushi2k
commented
7 years ago Just merged the PR. Thanks again @Sjord for bringing it up.
V4 says:
However, when using a JWT (or any other signed data) as access token it can be secure, but it is definitely not randomly generated. Can this requirement be made more generic so that it includes both random session IDs and JWTs?