Resist session id name fingerprinting by default #24

LeoniePhiline · 2022-12-15T15:54:49Z

The default session cookie name gives away that axum (or this specific middleware) is used:

https://github.com/maxcountryman/axum-sessions/blob/main/src/session.rs#L112

This should be changed to a generic default, like sid, id, or ses.

See also:

https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#session-id-name-fingerprinting

The text was updated successfully, but these errors were encountered:

maxcountryman · 2022-12-15T15:55:54Z

Good find! Let's change it.

…ting [#24] Change default cookie name to avoid fingerprinting

maxcountryman · 2023-03-14T17:22:19Z

I believe this was addressed in #36.

LeoniePhiline changed the title ~~Resist session id name fingerprinting~~ Resist session id name fingerprinting by default Dec 15, 2022

maxcountryman added enhancement New feature or request help wanted Extra attention is needed good first issue Good for newcomers labels Dec 15, 2022

quasiuslikecautious mentioned this issue Mar 4, 2023

[#24] Change default cookie name to avoid fingerprinting #36

Merged

maxcountryman added a commit that referenced this issue Mar 14, 2023

Merge pull request #36 from quasiuslikecautious/resist-sid-fingerprin…

a131376

…ting [#24] Change default cookie name to avoid fingerprinting

maxcountryman closed this as completed Mar 14, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Resist session id name fingerprinting by default #24

Resist session id name fingerprinting by default #24

LeoniePhiline commented Dec 15, 2022

maxcountryman commented Dec 15, 2022

maxcountryman commented Mar 14, 2023

Resist session id name fingerprinting by default #24

Resist session id name fingerprinting by default #24

Comments

LeoniePhiline commented Dec 15, 2022

maxcountryman commented Dec 15, 2022

maxcountryman commented Mar 14, 2023