Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

8.2.2 improvement, closes #1091 #1126

Merged
merged 1 commit into from
Nov 9, 2021
Merged

8.2.2 improvement, closes #1091 #1126

merged 1 commit into from
Nov 9, 2021

Conversation

elarlang
Copy link
Collaborator

@elarlang elarlang commented Nov 7, 2021

This Pull Request relates to issue #1091

@jmanico
Copy link
Member

jmanico commented Nov 7, 2021
edited
Loading

Can we clean this up just a little before merging? "cookie-based session tokens in cookies" is redundant.

So can we go from:

Verify that data stored in browser storage (such as localStorage, sessionStorage, IndexedDB, or cookies) does not contain sensitive data, with the exception of cookie-based session tokens in cookies and token-based session tokens in sessionStorage.

to

Verify that data stored in browser storage (such as localStorage, sessionStorage, IndexedDB, or cookies) does not contain sensitive data, with the exception of cookie-based session tokens and token-based session tokens in sessionStorage.

@elarlang
Copy link
Collaborator Author

elarlang commented Nov 7, 2021
edited
Loading

Do you wnat to change the meaning to "cookie-based session tokens are allowed to be stored in sessionStorage"?

This is not true and this is not the goal for/from me. The point for the exception:

  • cookie-based session tokens are allowed to be stored browser storage, but ONLY in cookies
  • token-based session tokens are allowed to be stored browser storage, but ONLY in sessionStorage

But not cookie-based session tokens in sessionStorage

@jmanico
Copy link
Member

jmanico commented Nov 7, 2021 via email

@elarlang
Copy link
Collaborator Author

elarlang commented Nov 7, 2021

I don't agree, without this phrase the meaning is different. If we can not agree on this or it's not clear like it is, we just need to drop this PR and come with new solution.

@jmanico
Copy link
Member

jmanico commented Nov 7, 2021

Where else would a cookie-based session be stored in a browser? I am confused...

It is implicit that a "cookie-based session" is stored in a cookie.

@jmanico
Copy link
Member

jmanico commented Nov 7, 2021

Hey @tghosth and/or @danielcuthbert can you please take a look at this?

@elarlang
Copy link
Collaborator Author

elarlang commented Nov 8, 2021

Where else would a cookie-based session be stored in a browser? I am confused...

It is implicit that a "cookie-based session" is stored in a cookie.

And this is precisely the reason why we need to make it clear - that for cookie-based session token it is allowed to store the token ONLY in cookies, and do not send it to DOM, store in sessionStorage etc.

I added requirement V3.4.6 and without saying it/duplicate again in 8.2.2, it is in conflict with 3.4.6.

If needed, please go through all the discussion in monster issue which lead me to make this proposal:
#843 (comment)

@jmanico
Copy link
Member

jmanico commented Nov 8, 2021 via email

@jmanico jmanico merged commit e022bd2 into OWASP:master Nov 9, 2021
@elarlang elarlang deleted the asvs-issue-1091 branch January 29, 2022 09:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@elarlang @jmanico