Log in

Session Management

Sessions are incredibly important. If an attacker can steal a legitimate user's session, it's just as if they had stolen that user's credentials because the attacker can execute any functions the real user can.

Proper session management involves protection against session hijacking and session fixation.

When thinking about the security of session management, it's important to remember that the session key (also known as a session identifier or token) is the key to the kingdom. With that unique token an attacker can impersonate another user, so it's important to guard it carefully.

Leaked Session Keys

Session keys are secrets, and should never be shown to anyone other than the user. Always put session keys in cookies, never in GET parameters or HTML forms. Users must send their session key with every request to the web server, and if those requests are not encrypted with transport layer security, the session key is easily obtained right off the wire.

Session Fixation

This technique allows an attacker to acquire a user's session key by having the user send a session key ("fix" it) that is already known to the attacker. The server must then accept it and fill the session with valuable information such as an authentication flag. See session fixation for more details.

Predicting Session Keys

If an attacker can predict what a session key will be before it is even put into use and sent to the user, he then has a valid session key when the time comes that it is put into use. For this reason, session keys should be completely unpredictable and use high-quality entropy sources to select random session keys of sufficient length. See session hijacking for more details.

Questions To Ask

  • Are session IDs exposed in the URL?
  • Do session IDs timeout and can users log out?
  • When a user logs out or times out, is the session invalidated?
  • Are session IDs rotated after successful login?
  • Are session IDs only sent over TLS/SSL?
  • Are session IDs completely randomly generated?
  • Version: latest
  • Edited by Craig Younkins on 8/11/10 10:07 AM
  • History
  • Edit

An OWASP project created by Craig Younkins

Powered by Moe and Google App Engine