0

We are developing a banking app where a sensitive information field would need to be required to be stored in session. (not all sensitive info field, just one).

EDIT: By session, we dont mean in a cookie. Its in the back end session attribute of the application. By the way our app is Java Spring MVC

My question is, from a security perspective, do we still need to encrypt these info when stored in session? We are using HTTPS anyway.

lecarpetron dookmarion
  • 519
  • 2
  • 7
  • 18
  • It depends on who you want to protect it from. I have a hard time conjuring up a hypothetical attacker that would be deterred by what is essentially memory encryption. Perhaps this can help protect against a malicious hypervisor operator who can take memory snapshots. – Artjom B. Jan 25 '21 at 20:39
  • If its not a browser session then why store it in the browser? You should have a browser session and you should then be able to store the backend session server side in your web app. Returning a back end session in the client is unnecessary and asking for trouble. I'm not saying its definitely a vulnerability (that would depend on the app and implementation) but you dont need to do it so why expose that information to potential attackers? If an attacker can get a bank account (which they will be able to) then they will be able to get at this information... – Simon Bennetts Jan 26 '21 at 09:23

0 Answers0