Usage of Default Session Cookie Configuration

Overview

Rule ID: javascript_express_default_session_config
Applicable Languages: Javascript
Weakness ID: CWE-693

Description

Using default session cookie configurations can expose your application to security vulnerabilities. When session cookies are set with default values, they become predictable and easier for attackers to exploit.

Remediation Guidelines

Do not rely on the default session cookie names and values provided by your framework. These defaults can be easily guessed by attackers, increasing the risk of session hijacking.
Use generic, non-descriptive names for session cookies. This makes it harder for attackers to identify and exploit your application's session management mechanism.

References

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousUsage of default Cookie Configuration NextUsage of externally controlled input to select code

Last updated 3 months ago