The system must not expose session IDs in URLs and messages presented to the user.
Session IDs are sensitive information that may allow an attacker to steal, modify and/or destroy information once they obtain one. Information sent via URL parameters is:
stored in clear text in the browser history. sent to external sites via the referrer HTTP header.
sent to external sites via the search bar if the browser interprets the URL as a query.
visible to scripts running on the browser that may belong to third-parties.
Therefore, session IDs should not be sent via URL parameters, nor be displayed as messages presented to the user, nor stored in logs.
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-319: Cleartext Transmission of Sensitive Information: The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
CWE-598: Use of GET Request Method With Sensitive Query Strings: The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.
OWASP Top 10 A2:2017-Broken Authentication: Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently.
OWASP Top 10 A3:2017-Sensitive Data Exposure: Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
OWASP-ASVS v4.0.1 V3.1 Client-side Data Protection.(3.1.1): Verify the application never reveals session tokens in URL parameters or error messages.
OWASP-ASVS v4.0.1 V8.3 Sensitive Private Data.(8.3.1): Verify that sensitive data is sent to the server in the HTTP message body or headers, and that query string parameters from any HTTP verb do not contain sensitive data.
OWASP-ASVS v4.0.1 V13.1 Generic Web Service Security Verification Requirements.(13.1.3): Verify API URLs do not expose sensitive information, such as the API key, session tokens etc.
PCI DSS v3.2.1 - Requirement 6.5.10: Address common coding vulnerabilities in software-development processes such as broken authentication and session management.