Add additional documentation for PII in Session Management Cheat Shee… (

#1210) * Add additional documentation for PII in Session Management Cheat Sheet (#942) * Add additional documentation for PII in Session Management Cheat Sheet #1210 Co-authored-by: Shlomo Zalman Heigh <[email protected]> --------- Co-authored-by: Shlomo Zalman Heigh <[email protected]>
OWASP · Oct 3, 2023 · 94917a8 · 94917a8
1 parent 8ee5615
commit 94917a8
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/cheatsheets/Session_Management_Cheat_Sheet.md b/cheatsheets/Session_Management_Cheat_Sheet.md
@@ -62,7 +62,7 @@ Additionally, a random session ID is not enough; it must also be unique to avoid
 
 The session ID content (or value) must be meaningless to prevent information disclosure attacks, where an attacker is able to decode the contents of the ID and extract details of the user, the session, or the inner workings of the web application.
 
-The session ID must simply be an identifier on the client side, and its value must never include sensitive information (or [PII](https://en.wikipedia.org/wiki/Personally_identifiable_information)).
+The session ID must simply be an identifier on the client side, and its value must never include sensitive information or Personally Identifiable Information (PII). To read more about PII, refer to [Wikipedia](https://en.wikipedia.org/wiki/Personally_identifiable_information) or this [post](https://www.idshield.com/blog/identity-theft/what-pii-and-why-should-i-care/).
 
 The meaning and business or application logic associated with the session ID must be stored on the server side, and specifically, in session objects or in a session management database or repository.