This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Secure Session Management Cheat Sheet

From OWASP
Revision as of 20:14, 18 July 2011 by Raul Siles (talk | contribs)

Jump to: navigation, search

Introduction

Web Authentication, Session Management, and Access Control

A web session is a sequence of network HTTP request and response transactions associated to the same user. Modern and complex web applications require to retain information or status about each user for the duration of multiple requests, therefore, sessions provide the ability to establish variables, such as access rights and localization settings, which will apply to every and each interaction a user has with the web application for the duration of the session.

Web applications can create sessions to keep track of anonymous users since the very first user request, for example, to maintain the user language preference. Additionally, web applications will make use of sessions once the user has authenticated in order to identify the user on any subsequent requests and be able to apply security access controls, grant access to the user private data, and increase the usability of the application. Therefore, current web applications can provide session capabilities both pre and post authentication.

Once an authenticated session has been established, the session ID (or token) is temporarily equivalent to the strongest authentication method used by the application, such as username and password, passphrases, one-time passwords (OTP), client-based digital certificates, smartcards, or biometrics (such as fingerprint or eye retina). See the OWASP Authentication Cheat Sheet: http://www.owasp.org/index.php/Authentication_Cheat_Sheet.

HTTP is a stateless protocol (RFC2616 [5]), where each request and response pair is independent of other web interactions, therefore, in order to introduce the concept of a session it is required to implement session management capabilities that link both the authentication and access control (or authorization) modules commonly available in web applications:

XXX

The session ID or token binds the user authentication credentials (in the form of a user session) to the user HTTP traffic and the appropriate access controls enforced by the web application. The complexity of these three components (authentication, session management, and access control) in modern web applications, plus the fact that its implementation and binding resides on the web developer’s hands (as web development framework do not provide strict relationships between these modules), makes the implementation of a secure session management module very challenging.

The disclosure, capture, prediction, brute force, or fixation of the session ID will lead to session hijacking (or sidejacking) attacks, where an attacker is able to fully impersonate a victim user in the web application. Attackers can perform two types of session hijacking attacks, targeted or generic. On a targeted attack, the attacker’s goal is to impersonate a specific (or privileged) web application victim user, while in generic attacks, the attacker’s goal is to impersonate (or get access as) any valid or legitimate user in the web application.

Session ID Properties

Title 1.1

Text

Relevant

More text

Title 2

Title 2.1

Text. Numbered List:

  1. 1
  2. 2

Title 2.2

Related Articles

One'

For more information on XXX please see the OWASP Cross-Site Request Forgery (CSRF) page.


OWASP Cheat Sheets Project Homepage


V - T - E Cheat Sheets
Developer / Builder
Assessment / Breaker
Mobile
OpSec / Defender
Draft and Beta
All Pages In This Category


Authors and Primary Editors

Raul Siles - raul[at]taddong.com

Retrieved from "https://wiki.owasp.org/index.php?title=Secure_Session_Management_Cheat_Sheet&oldid=114132"