Chapter 6 DXp SeCurity • Use CAPTCHA for functions such as user registration and password reset, to prevent automated attacks and bot-based attacks. • Lock the account after a specified number of successive failed password attempts. Session Management A session is established once the user successfully logs in. A valid user session consists of user information, application data, and such. The main best practices in managing user session are given as follows: • Enforce automatic idle session timeout that invalidates the session after a specific duration of inactivity. This prevents accidental misuse of a session. Usually a 30-minute window is suitable for idle session timeout. • Prevent multiple sessions/user logins at the same period to prevent session hacking. • Use CSRF (cross-site request forgery) tokens (a unique ID) along with each request to prevent CSRF attacks. • Do not store any sensitive information in session cookies. • Use a secure transport protocol (such as HTTPS, FTPS) while transmitting sensitive information. • Don’t send the session IDs as URL parameters. Information Management The information related to a DXP system and the application data should be carefully guarded to prevent sophisticated hacking attempts. The following are the key best practices related to information management: • Prevent accidental disclosure of the information in log files, exception messages, and error logs. This includes information related to web server name/version, programming language used, host name, IP address, and such sensitive information. 188