Difference between revisions of "ESAPI Session Management"

Latest revision as of 02:23, 28 December 2008

Be able to distinguish initial login and subsequent login after session timeout (working)

To Change session ID after a successful login with optional session content replication so that a timed out user can continue where he/she has left off (working)

Safe session management functions that will reject invalid session requests. For example, a request for session contents on an expired session should be rejected until the session is reactivated.

A collection of anti-CSRF tags that can automatically incorporate CSRF token in forms when used in JSP pages

TODO

Add a secure form tag that does CSRF as well as other form protections like autocomplete

Separate session management API and CSRF from the Authentication and HTTP utilities

Consider whether ESAPI can provide CSRF protection without the User object - can we break the dependency

@@ Line 1: / Line 1: @@
-== Feature Overview ==
+== Feature Overview (in Version 2.0)==
+* Be able to distinguish initial login and subsequent login after session timeout (working)
+* To Change session ID after a successful login with optional session content replication so that a timed out user can continue where he/she has left off (working)
+* Safe session management functions that will reject invalid session requests. For example, a request for session contents on an expired session should be rejected until the session is reactivated.
+* Automatic CSRF token validation in a centralized location.
+* A collection of anti-CSRF tags that can automatically incorporate CSRF token in forms when used in JSP pages
 TODO
@@ Line 11: / Line 22: @@
 * Add a flag to the changeSessionIdentifier method to not copy session content
-*
+* Consider whether ESAPI can provide CSRF protection without the User object - can we break the dependency