PCI DSS v3.2 & Exposing Session ID in URL
Last updated on: September 6, 2020
Passing the session ID in the URL such as QID 150068 “Session ID in URL” will be marked as a Fail for PCI as of April 15, 2018 in accordance with PCI DSS v3.2.
QID 150068 is a PCI Fail according to PCI DSS v3.2 Requirement 6.5.10:
6.5.10 Examine software development policies and procedures and interview responsible personnel to verify that broken authentication and session management are addressed via coding techniques that commonly include:
- Flagging session tokens (for example cookies) as “secure”
- Not exposing session IDs in the URL
- Incorporating appropriate time-outs and rotation of session IDs after a successful login.
The vulnerability impact depends on whether the application enforces the renewal of the session ID after a change in the user’s privilege level or after the user authenticates. If successful, the attacker can get full control of the application and gain access to all of the available authenticated resources.
For reference, please see the PCI-DSS v3.2 documentation in the PCI-DSS Documents Library.