Skillset can help you prepare! Sign up for your free Skillset account and take the first steps towards your certification.
What are the Session ID Properties recognized by OWASP as a part of Session Management?
5) All of the above
2) Session ID Length
4) Session ID Content
1) Session ID Name Fingerprinting
3) Session ID Entropy
6) None of the above
With the goal of implementing secure session IDs, the generation of identifiers (IDs or tokens) must meet the following properties:
1) Session ID Name Fingerprinting - The name used by the session ID should not be extremely descriptive nor offer unnecessary details about the purpose and meaning of the ID.
2) Session ID Length - The session ID must be long enough to prevent brute force attacks, where an attacker can go through the whole range of ID values and verify the existence of valid sessions. The session ID length must be at least 128 bits (16 bytes).
3) Session ID Entropy - The session ID must be unpredictable (random enough) to prevent guessing attacks, where an attacker is able to guess or predict the ID of a valid session through statistical analysis techniques. The session ID value must provide at least 64 bits of entropy, if a good PRNG (Pseudo Random Number Generator) is used, this value is estimated to be half the length of the session ID.
4) Session ID Content - The session ID content (or value) must be meaningless to prevent information disclosure attacks, where an attacker is able to decode the contents of the ID and extract details of the user, the session, or the inner workings of the web application.
REFERENCE: https://www.owasp.org/index.php/SessionManagementCheatSheet#SessionID_Properties
Train with Skillset and pass your certification exam. Faster. Guaranteed.
Study thousands of practice questions that organized by skills and ranked by difficulty.
Create a tailored training plan based on the knowledge you already possess.
Know when you’re ready for the high-stakes exam. Have the confidence that you will pass on your first attempt.