Closed Sjord closed 7 years ago
Thanks for bringing this up. Just made a PR: https://github.com/OWASP/owasp-masvs/pull/94 Requirement 4.3 is new and 4.2 was slightly changed. So classical session management and stateless authentication is covered. What do you guys think? @b-mueller @Sjord
Isn't the whole point of signed JWT's to avoid the need of a session and contain all data needed to verify a claim?
-- Jim Manico
On Jun 13, 2017, at 4:45 AM, Sven notifications@github.com wrote:
Thanks for bringing this up. Just made a PR: #94 What do you guys think? @b-mueller @Sjord
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.
@jmanico Yes, that's why we were proposing to split requirement 4.2 into two requirements which will be a redefined requirement 4.2 (classic session management) and a new requirements 4.3 (stateless authentication).
Check the PR: https://github.com/OWASP/owasp-masvs/pull/94/files
Awesome!
-- Jim Manico @Manicode Secure Coding Education +1 (808) 652-3805
On Jun 13, 2017, at 9:08 AM, Sven notifications@github.com wrote:
@jmanico Yes, that's why we were proposing to split requirement 4.2 into two requirements which will be a redefined requirement 4.2 (classic session management) and a new requirements 4.3 (stateless authentication).
Check the PR: https://github.com/OWASP/owasp-masvs/pull/94/files
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.
Just merged the PR. Thanks again @Sjord for bringing it up.
V4 says:
However, when using a JWT (or any other signed data) as access token it can be secure, but it is definitely not randomly generated. Can this requirement be made more generic so that it includes both random session IDs and JWTs?