Ensure Secure Session Cookies with High Entropy Tokens
Web apps should use random session cookie identifiers with high entropy to ensure security.
Plain language
This control is about making sure that when you log into a website, the little 'login token' it gives you is super hard for hackers to guess or fake. If these tokens aren't secure, someone could pretend to be you online, which might lead to your personal data being stolen or your accounts being misused.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentSection
Web application developmentOfficial control statement
Web application session cookies using opaque bearer tokens that are not digitally signed use non-sequential random identifiers with a minimum of 128 bits of entropy, preferably 256 bits of entropy.
Why it matters
Low-entropy or predictable opaque session cookie tokens can be guessed, enabling session hijacking and unauthorised access to user accounts and data.
Operational notes
Generate opaque session IDs with a CSPRNG and verify at least 128 bits (preferably 256) of entropy; periodically test for predictability/non-sequential values.
Implementation tips
- IT team should implement secure session tokens: Use a secure software library to generate session tokens with high randomness. Make sure these tokens have at least 128 bits of unpredictability, which means they are strong enough to resist guessing.
-
Look atdocumentation or settings in the app that confirm the token randomness meets standards
-
Look atexisting libraries or tools that meet security standards, such as those recommended by the Australian Signals Directorate
- Security officer should educate staff: Run a training session or distribute materials explaining why secure tokens are important and how they protect the business from potential breaches. Use examples that relate to the team members' roles to reinforce understanding.
- Procurement team should assess software vendors: Before purchasing or renewing web application software, check that the vendors guarantee session token security measures in their products. Review vendor documentation and request information on how they handle session security.
Audit / evidence tips
-
Askthe session token generation documentation: Request internal tech guidelines or vendor documentation that describes how session tokens are generated and managed
Goodshows documented assurance of at least 128 bits of entropy
-
Goodoutcome is settings that align with recommendations from the ACSC
-
Asklogs or reports related to token distribution: Request data showing how session tokens are distributed and handled
Goodincludes absence of predictable patterns or recurring errors in token generation
-
Askresults from recent security tests or audits that included session token assessment
Goodresult shows no successful breaches and recommendations implemented to improve security
-
Goodoutcome includes high staff participation and updated materials that reflect current security standards
Cross-framework mappings
How ISM-2065 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.26 | ISM-2065 requires web applications using opaque bearer session cookies (not digitally signed) to generate non-sequential random session i... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.