Movere uses four cookies for session maintenance on its website. All sessions are kept alive for 24 hours, after which the user is automatically logged-off. If a user chooses to log-off manually, the session cookies are immediately deleted. One cookie is issued by the Web API for session state, one cookie is issued by the Authentication API and serves as a bearer token, and two cookies are issued by Qlik providing authentication to the Qlik service.
Users are considered unauthenticated until the application has taken positive action to tie a session with an authentication token, which is validated on each submission or request.
Cookies set during an SSL session have the “secure” flag set and have the domain component set to the domain associated with the publicly-addressable IP of the application or web server.
Non-persistent cookies are only used to identify a client session and contain the minimum amount of information required to implement functionality. All cookies contain a large enough random component to ensure uniqueness and are encrypted or hashed.
Session tokens are cryptographically-unique, non-sequential, non-predictable, and resistant to reverse engineering. They are not based on personal information, and have a unique key space large enough to prevent brute force attacks or enumeration. They are renegotiated after a configurable length of time. Brute force attempts at session tokens generate a security event in application assessment logs. Sessions are torn down effectively with logout functionality, and the application can manage normal and abnormal session termination.