Hello, I need inputs/answers on below points to implement a secure session management application Or if there is there any configuration that may need to be tuned to improve below please point me to that A) Are Session IDs cryptographically strong and do not reveal sensitive information so that they can't be guessed easily or used to find attack vectors. Does we meet below 1. Does Strong entropy sources being used to generate the session ID value 2. Does Strong cryptographic algorithms being used to generate the session ID value 3. Does the session ID value provides at least 128 bits of entropy. 4. Is the session ID value meaningless to prevent information disclosure attacks, allowing recovery of the contents of the ID and extract details of the user, the session, or the inner workings of the web application.
B) Are the Session IDs fully validated before they may be used. When using session ID to keep authentication state and track user progress within a web application, the application MUST treat the session ID as untrusted data, and sanitize and validate it before use. Thanks a lot for your time. Utkarsh Dave
