Web Authentication Cookie FAQs
Does the application use web authentication cookies?
Yes, we use a session cookie for maintaining authenticated user identification.
Is the cookie used for non-authentication purposes?
No, the cookie contains exactly one value, the session ID.
Is the cookie set to the narrowest/lowest path or domain needed in order to prevent inadvertent or unauthorized sharing of cookies by other web applications?
Yes, the path is set to /api only (the narrowest path). As recommended by OWASP, we do not directly set the domain attribute, so the default ends up being the origin server.
Are the cookies non-persistent?
The cookies are session based, and not persisted beyond logout or via timeout.
Is the value of the cookie not predictable and does it provide 64-bit entropy?
The cookie value is a Java UUID, which uses the SecureRandom class. A little research leads me to believe it’s a 128 bit value, with 122 bit randomness.
Are default values not used for the name of the cookie?
As recommended by OWASP, the cookie name is vague/meaningless. It is simply, "id".
Is the cookie set via SSL channel and are the 'secure' and 'HTTPOnly' attributes set?
If the web server is running under SSL, then the cookie is set to secure and HttpOnly is set to true.
Can the cookie be manually deleted through a logout button that sets the cookie value to null or the cookie value is rendered invalid on the server after a period of inactivity?
Yes, the cookie can be manually deleted. There is also a timeout mechanism:
8 hour absolute lifetime - it never lasts longer than 8 hours
1 hour soft lifetime - if the last request time was > than 1 hour, the session is destroyed. Otherwise, the lifetime is bumped up 1 more hour, until the maximum 8 hour limit is met.
Is the cookie cleared during the authentication of a user?