From 94917a822174367afd9efec3e85a50c41092fb09 Mon Sep 17 00:00:00 2001 From: Arun John Kuruvilla Date: Tue, 3 Oct 2023 08:40:35 -0400 Subject: [PATCH] =?UTF-8?q?Add=20additional=20documentation=20for=20PII=20?= =?UTF-8?q?in=20Session=20Management=20Cheat=20Shee=E2=80=A6=20(#1210)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add additional documentation for PII in Session Management Cheat Sheet (#942) * Add additional documentation for PII in Session Management Cheat Sheet #1210 Co-authored-by: Shlomo Zalman Heigh --------- Co-authored-by: Shlomo Zalman Heigh --- cheatsheets/Session_Management_Cheat_Sheet.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cheatsheets/Session_Management_Cheat_Sheet.md b/cheatsheets/Session_Management_Cheat_Sheet.md index a83c5ebb6e..e6b8b03a7c 100644 --- a/cheatsheets/Session_Management_Cheat_Sheet.md +++ b/cheatsheets/Session_Management_Cheat_Sheet.md @@ -62,7 +62,7 @@ Additionally, a random session ID is not enough; it must also be unique to avoid The session ID content (or value) must be meaningless to prevent information disclosure attacks, where an attacker is able to decode the contents of the ID and extract details of the user, the session, or the inner workings of the web application. -The session ID must simply be an identifier on the client side, and its value must never include sensitive information (or [PII](https://en.wikipedia.org/wiki/Personally_identifiable_information)). +The session ID must simply be an identifier on the client side, and its value must never include sensitive information or Personally Identifiable Information (PII). To read more about PII, refer to [Wikipedia](https://en.wikipedia.org/wiki/Personally_identifiable_information) or this [post](https://www.idshield.com/blog/identity-theft/what-pii-and-why-should-i-care/). The meaning and business or application logic associated with the session ID must be stored on the server side, and specifically, in session objects or in a session management database or repository.