DerScanner
Home / Vulnerability Database / Ruby : Cookie: unlimited expiration time
Ruby

Ruby : Cookie: unlimited expiration time

Classification

OWASP Top 10 2013
A2-Broken Authentication and Session Management
OWASP Top 10 2017
A2-Broken AuthenticationA3-Sensitive Data Exposure
OWASP Top 10 2021
A2-Cryptographic FailuresA4-Insecure DesignA7-Identification and Authentication Failures
PCI DSS 4.0
6.2.4
HIPAA
§164.312 (a)(2)(iii)
CWE
CWE-539CWE-1028

Overview

The application uses persistent cookies. Saving valuable data in persistent cookies (cookies with long lifetime) may result into the data confidentiality loss.

In most cases, by default non-persistent cookies, which are not stored on disk and are deleted when the browser is closed, are used. The developer can specify the lifetime of cookies, for which cookies should be stored. In this case, cookies will be stored on disk and saved between restarts the browser and restart the computer.

If valuable data is stored in persistent cookies then a potential attacker has plenty of time to get access to it.

Sensitive Data Exposure vulnerabilities take the third place in the “OWASP Top 10 2017” web-application vulnerabilities ranking.

References

  1. OWASP Mobile Top 10 2014-M9: Improper Session Handling
  2. OWASP Top 10 2017-A2-Broken Authentication
  3. CWE-539
  4. CWE CATEGORY: OWASP Top Ten 2017 Category A2 - Broken Authentication
MEDIUM

DerScanner Severity Score

Do you want to fix Ruby : Cookie: unlimited expiration time in your application?

See also

Ruby

Ruby : Weak hashing algorithm

Ruby

Ruby : Empty encryption key

Ruby

Ruby : Hardcoded sensitive data