Default Session Cookie Name
Description
The default session cookie name is used, which can be used by an attacker to fingerprint the server and target attacks accordingly.
Examples
Insecure Code
javascript
const session = require('cookie-session')();
const session = require('express-session')();Secure Code
javascript
const session = require('cookie-session')({ name: 'custom_session_id' });
const session = require('express-session')({ name: 'custom_session_id' });Remediation
Change the default session cookie name to a custom value.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0388 |
| Category | Auth |
| Severity | MEDIUM |
| CWE | CWE-522 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | session cookie, fingerprinting |
| OWASP | A2:2017-Broken Authentication, A07:2021-Identification and Authentication Failures |