Secure Coding Practices, Part 5: Session Management<script type="text/javascript" src="http://www.blogger.com/static/v1/common/js/1499043574-csitaillib.js"></script> <script>if (typeof(window.attachCsiOnload) != 'undefined' && window.attachCsiOnload != null) { window.attachCsiOnload('ext

by Steven McElwee

Session management security is especially important in web applications. A user can view and modify all information that is passed to and from a web browser. Popular browsers have plug-ins to make viewing and modification of HTTP traffic easy. As a result, the means of establishing, maintaining, and ending a session are in full view of the end user.

To make session management secure, it is important to encapsulate sensitive information in a way that the user does not see the data, but the server-side application can still identify the user and session properties.

Here are a few questions to consider when creating or reviewing web application software:

Is session data excluded from the URL using the GET method?
Does data in the browser cookie contain only the session ID and exclude other session information?
Are session IDs hashed to prevent attackers from guessing valid session IDs?
Are session IDs guaranteed to be unique?
Are sessions validated on each page request?
Do sessions expire after a period of inactivity?
Are expired sessions deleted on the server?

Labels: Secure Coding Practices

1.17.2008

Secure Coding Practices, Part 5: Session Management

0 Comments:

Links to this post:

Categories

Get Updates

Previous Posts