8.2.2 - "with the exception of session tokens" is a bit too wide #1091
Assignees
Labels
1) Discussion ongoing
Issue is opened and assigned but no clear proposal yet
4) proposal for review
Issue contains clear proposal for add/change something
Comments
elarlang
added
the
1) Discussion ongoing
|
I suggest solution one. |
elarlang
pushed a commit
to elarlang/ASVS
that referenced
this issue
Oct 25, 2021
|
Options:
|
elarlang
added
the
4) proposal for review
|
This one is preferred. ... , with the exception of cookie-based session tokens in cookies and token-based session tokens in sessionStorage. |
elarlang
pushed a commit
to elarlang/ASVS
that referenced
this issue
Jan 2, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Link to bleeding edge: 8.2.2
"spin-off" requirement from The Monster Issue #843 (comment)
Current (bleeding edge) solution
v4.0.2-8.2.2
v4.0.2-3.2.3 (deleted from bleeding edge):
For cookie-based sessions there is now separate requirement 3.4.6 in bleeding edge:
Change made for for v4.0.3 (just drop the exception, because for v4.0.3 3.2.3 stays and there is no 3.4.6):
Problem - a bit too wide open exception
Session token IS sensitive piece of information AND it is stored in some browser storage and therefore anyway in conflict with 8.2.2 (without added exception):
With wide-open exception with the exception of session tokens it is allowed to store any type of token in any browser storage.
Solution 1) Should we be more precise with this exception? like (wording needs improvement):
Solution 2) Should we add extra requirement to V3.5.* which says something like:
Then previous 3.2.3 is covered with new 3.4.6 and new 3.5.*
ping @jsulinski
The text was updated successfully, but these errors were encountered: