Things To Do
All applications in your organization should be developed following these design goals:
All applications should share a well-debugged and trusted session management mechanism.
All session identifiers should be sufficiently randomized so as to not be guessable.
All session identifiers should use a key space of at least XXXX bits.
All session identifiers should use the largest character set available to it.
Sessions SHOULD timeout after 5 minutes for high-value applications, 10 minutes for medium value applications, and 20 minutes for low risk applications.
All session tokens in high value applications SHOULD be tied to a specific HTTP client instance (session identifier and IP address).
Application servers SHOULD use private temporary file areas per client/application to store session data.
All applications SHOULD use a cryptographically secure page or form nonce in a hidden form field.
Each form or page nonce SHOULD be removed from the active list as soon as it is submitted.
Session ID values submitted by the client should undergo the same validation checks as other request parameters.
High value applications SHOULD force users to re-authenticate before viewing high-value resources or complete high-value transactions.
Session tokens should be regenerated prior to any significant high value transaction.
In high-value applications, session tokens should be regenerated after a certain number of requests.
In high-value applications, session tokens should be regenerated after a certain period of time.
For all applications, session tokens should be regenerated after a change in user privilege.
Applications should log attempts to continue sessions based on invalid session identifiers.
Applications should, if possible, conduct all traffic over HTTPS.
If applications use both HTTP and HTTPS, they MUST regenerate the identifier or use an additional session identifier for HTTPS communications.
Things Not To Do
Applications should NOT use as variables any user personal information (user name, password, home address, etc.).
Highly protected applications should not implement mechanisms that make automated requests to prevent session timeouts.
Highly protected applications should not implement “remember me” functionality.
Highly protected applications should not use URL rewriting to maintain state when cookies are turned off on the client.
Applications should NOT use session identifiers for encrypted HTTPS transport that have once been used over HTTP.