This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Category:WASS Session Managment

Jump to: navigation, search

Take measures to securely manage user identification.

Because HTTP is a stateless protocol, applications have to provide a mechanism where users are uniquely identified, and their current status in the system is preserved between operations. This can be achieved by providing each user with an identifier that follows them through the application. Protection of this identifier is very important because if its value is discovered, an attacker can masquerade as another user and access information or perform operations on his/her behalf.

  1. The single, unique, user identifier should meet the following requirements.
    1. Generated each time a user logs in
    2. Destroyed and reset to have no permission when a user logs off
    3. Generated based on a pseudo-random number generation scheme with good entropy
    4. Should be of a reasonable length such that it can not be guessed during the expected period of validity (or lifetime).
    5. Becomes invalid (sessions should time out) after a reasonable period of inactivity
    6. Users should not be allowed to request a specific identifier
  2. Identifiers should be transmitted over a secure connection
  3. Identifiers should be managed ONLY on the server-side.

This category currently contains no pages or media.