Secure Coding Practices, Part 5: Session Management

by Steven McElwee, CISSP

Session management security is especially important in web applications. A user can view and modify all information that is passed to and from a web browser. Popular browsers have plug-ins to make viewing and modification of HTTP traffic easy. As a result, the means of establishing, maintaining, and ending a session are in full view of the end user.

To make session management secure, it is important to encapsulate sensitive information in a way that the user does not see the data, but the server-side application can still identify the user and session properties.

Here are a few questions to consider when creating or reviewing web application software:

• Is session data excluded from the URL using the GET method?
• Does data in the browser cookie contain only the session ID and exclude other session information?
• Are session IDs hashed to prevent attackers from guessing valid session IDs?
• Are session IDs guaranteed to be unique?
• Are sessions validated on each page request?
• Do sessions expire after a period of inactivity?
• Are expired sessions deleted on the server?