Session ID / Cookies

[Wilsonator123]

• [x] Research session IDs and management
• [x] When a user logs in create a session id (using JWT)
• [x] Add the session ID to the users cookies

[Wilsonator123]

Session IDs are stored in cookies and are cryptographically randomly generated strings that authorize users on a website.

Session IDs are created on the backend and are never interacted with on the frontend

We use JWT to generate our Session ID

Requirements List

1. The cookie must be called id to prevent leaking any structural information
2. The ID must be 128 bits long
3. The ID must have a 64 bit entropy and must use a good CSPRNG
4. IDs must be unique and never duplicated
5. The ID must have no meaning and pattern
6. All code related to session ID generation/alteration must be Server Side
7. Use cookies and only cookies for session ID
8. Use HTTPS to protect session ID
9. Use Secure tag to prevent exposure of cookie
10. Do not mix HTTP and HTTPS channels (If redirected, create a new session ID)
11. Use HSTS
12. Use HttpOnly tag to restrict cookies to only being accessed in HTTP requests
13. Use SameSite tag to prevent cookies being used from other domains
14. Can use path to restrict where cookie can be accessed on page (Path=/login,/signup)
15. Use non-persistent (expires after session) where possible
16. Use Max-Age to set the expiry period
17. Store in database possibly with User, IP, Login Date, Timeouts

Questions to Answer

1. Should we allow unauthorized Access? / Should we give Session IDs to unauthorized users?
2. What pages need session IDs and what don't?
3. What pages shouldn't be accessed without session IDs?
4. What data should be stored in session database?
5. How long should a cookie last for?
6. Should we use non-persistent cookies for higher privileged requests?
7. What are the privilege levels we have/can give?