This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "ESAPI Session Management"
From OWASP
(→Possible Enhancements) |
|||
| (4 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
| − | == Feature Overview == | + | == Feature Overview (in Version 2.0)== |
| + | |||
| + | * Be able to distinguish initial login and subsequent login after session timeout (working) | ||
| + | |||
| + | * To Change session ID after a successful login with optional session content replication so that a timed out user can continue where he/she has left off (working) | ||
| + | |||
| + | * Safe session management functions that will reject invalid session requests. For example, a request for session contents on an expired session should be rejected until the session is reactivated. | ||
| + | |||
| + | * Automatic CSRF token validation in a centralized location. | ||
| + | |||
| + | * A collection of anti-CSRF tags that can automatically incorporate CSRF token in forms when used in JSP pages | ||
| + | |||
TODO | TODO | ||
| Line 7: | Line 18: | ||
* Add a secure form tag that does CSRF as well as other form protections like autocomplete | * Add a secure form tag that does CSRF as well as other form protections like autocomplete | ||
| − | * | + | * Separate session management API and CSRF from the Authentication and HTTP utilities |
| + | |||
| + | * Add a flag to the changeSessionIdentifier method to not copy session content | ||
| + | |||
| + | * Consider whether ESAPI can provide CSRF protection without the User object - can we break the dependency | ||
Latest revision as of 02:23, 28 December 2008
Feature Overview (in Version 2.0)
- Be able to distinguish initial login and subsequent login after session timeout (working)
- To Change session ID after a successful login with optional session content replication so that a timed out user can continue where he/she has left off (working)
- Safe session management functions that will reject invalid session requests. For example, a request for session contents on an expired session should be rejected until the session is reactivated.
- Automatic CSRF token validation in a centralized location.
- A collection of anti-CSRF tags that can automatically incorporate CSRF token in forms when used in JSP pages
TODO
Possible Enhancements
- Add a secure form tag that does CSRF as well as other form protections like autocomplete
- Separate session management API and CSRF from the Authentication and HTTP utilities
- Add a flag to the changeSessionIdentifier method to not copy session content
- Consider whether ESAPI can provide CSRF protection without the User object - can we break the dependency
