Security decisions should not depend on branching that can be influenced by untrusted or client-provided data. For example, using a client-provided session ID (instead of a server-provided ID) in a conditional statement might allow an attacker to search for IDs of active sessions.
1public void logSessionIdNoncompliant(HttpServletRequest request) {
2 final String sessionId = request.getRequestedSessionId();
3 // Noncompliant: user-supplied session ID is used to make a decision.
4 if (sessionId != null && sessionId.equals("ImportantSession")) {
5 System.out.println("Client-provided session ID: " + sessionId + " is important");
6 }
7}
1public void logSessionIdCompliant(HttpServletRequest request) {
2 // Compliant: user-supplied session ID is not used to make decisions.
3 System.out.println("Client-provided session ID: " + request.getRequestedSessionId());
4}