This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Reviewing Code for Session Integrity issues"
From OWASP
(→HTML Hidden Field) |
|||
| Line 7: | Line 7: | ||
==Session Tracking/Management Techniques== | ==Session Tracking/Management Techniques== | ||
=== HTML Hidden Field === | === HTML Hidden Field === | ||
| − | + | The HTML Hidden field could be used to perform session tracking. Upon each HTTP POST request the hidden field is passed to the server identifying the user. It would be in the form of | |
<INPUT TYPE="hidden" NAME="user"VALUE="User001928394857738000094857hfduekjkksowie039848jej393"> | <INPUT TYPE="hidden" NAME="user"VALUE="User001928394857738000094857hfduekjkksowie039848jej393"> | ||
Revision as of 10:51, 27 August 2007
OWASP Code Review Guide Table of ContentsIntroduction
How to locate the potentially vulnerable code
Session Tracking/Management Techniques
HTML Hidden Field
The HTML Hidden field could be used to perform session tracking. Upon each HTTP POST request the hidden field is passed to the server identifying the user. It would be in the form of
<INPUT TYPE="hidden" NAME="user"VALUE="User001928394857738000094857hfduekjkksowie039848jej393">
Server-side code is used to perfrom validation on the VALUE in order to ensure the used is valid. This approach can only be used for POST/Form requests.
URL Rewriting
URL rewriting approaches session tracking by appending a unique id pertaining to the user at the end of the URL.
<A HREF="/smackmenow.htm?user=User001928394857738000094857hfduekjkksowie039848jej393">Click Here</A>
