OWASP
Update: Session Management - caching guidelines
In the Web Content Caching section it says:
"Independently of the cache policy defined by the web application, if caching web application contents is allowed, the session IDs must never be cached, so it is highly recommended to use the Cache-Control: no-cache="Set-Cookie, Set-Cookie2" directive, to allow web clients to cache everything except the session ID (see here)."
But I am confused because MDN says (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control)
"Note that no-cache does not mean "don't cache". no-cache allows caches to store a response but requires them to revalidate it before reuse. If the sense of "don't cache" that you want is actually "don't store", then no-store is the directive to use."
So does this mean we should be using sending the no-store directive with any response from our server which includes a header of set-cookie: sessionid=someid?
I think sending no-store is also a good idea and will not harm the cookie flow at all.
@jmanico do you want to make any changes to the cheatsheet because of this?
Hi! I'd like to work on this issue. Based on the discussion, I'll update the Session Management Cheat Sheet to recommend using Cache-Control: no-store instead of no-cache="Set-Cookie, Set-Cookie2", since no-store prevents session ID caching entirely. I'll also update the explanation to clarify the difference.
Let me know if this approach looks good, and I'll submit a PR soon!
@jmanico do you want to make any changes to the cheatsheet because of this?
Yes please, as you see fit!
Hi!
I’ve updated the Session Management Cheat Sheet to recommend using Cache-Control: no-store instead of no-cache="Set-Cookie, Set-Cookie2", as no-store ensures that the session ID and other sensitive data are never cached. The change also clarifies the differences between no-cache and no-store and references the MDN documentation for better clarity.
Looking forward to your feedback!