DerScanner
Home / Vulnerability Database / Delphi : Cookie: unlimited expiration time
Delphi

Delphi : Cookie: unlimited expiration time

Classification

OWASP Top 10 2013
A2-Broken Authentication and Session Management
OWASP Top 10 2017
A2-Broken AuthenticationA3-Sensitive Data Exposure
OWASP Top 10 2021
A2-Cryptographic FailuresA4-Insecure DesignA7-Identification and Authentication Failures
PCI DSS 4.0
6.2.4
CWE
CWE-539CWE-1028

Overview

The application uses persistent cookies. Saving valuable data in persistent cookies (cookies with long lifetime) may result into the data confidentiality loss.

In most cases, by default non-persistent cookies, which are not stored on disk and are deleted when the browser is closed, are used. The developer can specify the lifetime of cookies, for which cookies should be stored. In this case, cookies will be stored on disk and saved between restarts the browser and restart the computer.

If valuable data is stored in persistent cookies then a potential attacker has plenty of time to get access to it.

Sensitive Data Exposure vulnerabilities take the third place in the “OWASP Top 10 2017” web-application vulnerabilities ranking.

References

  1. OWASP Mobile Top 10 2014-M9: Improper Session Handling
  2. Session Management Cheat Sheet: Expire and Max-Age Attributes
  3. Ideal time for cookies to expire?
  4. What typically is the expiration date of a session cookie?
  5. OWASP Top 10 2017 A2-Broken Authentication
  6. CWE-539
  7. CWE CATEGORY: OWASP Top Ten 2017 Category A2 - Broken Authentication
MEDIUM

DerScanner Severity Score

Do you want to fix Delphi : Cookie: unlimited expiration time in your application?

See also

Delphi

Delphi : Incorrect Raise call

Delphi

Delphi : Empty encryption key

Delphi

Delphi : Weak random number generator