This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Codereview-Session-Management"

From OWASP
Jump to: navigation, search
(Description)
(Added na)
 
(11 intermediate revisions by one other user not shown)
Line 1: Line 1:
==Introduction==
+
{{LinkBar
[[OWASP Code Review Guide Table of Contents]]__TOC__
+
  | useprev=PrevLink | prev=Codereview-Authorization | lblprev=Authorization
[[Category:OWASP Code Review Project]]
+
  | usemain=MainLink | main=OWASP Code Review Guide Table of Contents | lblmain=Table of Contents
 +
  | usenext=NextLink | next=Codereview-Input Validation | lblnext=Input Validation
 +
}}
 +
__TOC__
  
 
==Description==
 
==Description==
 
Session management from a code review perspective should focus on the creation, renewal, and destruction of a user’s session throughout the application. The code review process should ensure the following:  
 
Session management from a code review perspective should focus on the creation, renewal, and destruction of a user’s session throughout the application. The code review process should ensure the following:  
  
'''Session ID:'''
+
'''Session ID'''<br>
 
 
 
Authenticated users should have a robust and cryptographically secure association with their session. The session identifier (Session ID) should not be predictable, and generation of such should be left to the underlying framework. The development effort to produce a session with sufficient entropy is subject to errors, and best left to tried and trusted methods.  
 
Authenticated users should have a robust and cryptographically secure association with their session. The session identifier (Session ID) should not be predictable, and generation of such should be left to the underlying framework. The development effort to produce a session with sufficient entropy is subject to errors, and best left to tried and trusted methods.  
  
'''Authorization:'''
+
'''Authorization'''
 
*Applications should check if the session is valid prior to servicing any user requests. The user's session object may also hold authorization data.  
 
*Applications should check if the session is valid prior to servicing any user requests. The user's session object may also hold authorization data.  
 
*Session ID should be applied to a new user upon successful authentication.  
 
*Session ID should be applied to a new user upon successful authentication.  
Line 16: Line 18:
 
*Sessions may need to be terminated upon authorization failures. If a logical condition exists which is not possible, unless the state transition is circumvented or an obvious attempt to escalate privileges, a session should be terminated.  
 
*Sessions may need to be terminated upon authorization failures. If a logical condition exists which is not possible, unless the state transition is circumvented or an obvious attempt to escalate privileges, a session should be terminated.  
  
 
+
'''Session Transport'''<br>
'''Session Transport'''
 
 
 
 
Applications avoid or prevent common web attacks, such as replay, request forging, and man-in-the-middle.  
 
Applications avoid or prevent common web attacks, such as replay, request forging, and man-in-the-middle.  
 
*Session identifiers should be passed to the user in a secure manner such as not using HTTP GET with the session ID being placed in the query string. Such data (query string) is logged in web server logs.  
 
*Session identifiers should be passed to the user in a secure manner such as not using HTTP GET with the session ID being placed in the query string. Such data (query string) is logged in web server logs.  
 
*Cookie transport should be performed over a secure channel. Review the code in relation to cookie manipulation. Verify if the secure flag is set. This prevents the cookie being transported over a non-secure channel.  
 
*Cookie transport should be performed over a secure channel. Review the code in relation to cookie manipulation. Verify if the secure flag is set. This prevents the cookie being transported over a non-secure channel.  
  
 
+
'''Session Lifecycle'''
'''Session lifecycle'''
 
 
*Session Timeout - Sessions should have a defined inactivity timeout and also in some cases a session hard-limit. The code review should examine such session settings. They may be defined in configuration files or in the code itself. Hard limits shall kill a session regardless of session activity.  
 
*Session Timeout - Sessions should have a defined inactivity timeout and also in some cases a session hard-limit. The code review should examine such session settings. They may be defined in configuration files or in the code itself. Hard limits shall kill a session regardless of session activity.  
 
*The log-out commands must do more that simply kill the browser. Review the code to verify that log-out commands invalidate the session on the server.  Upon the logout request, be it a parameter or URL, one must review the code to ensure the session is invalidated.
 
*The log-out commands must do more that simply kill the browser. Review the code to verify that log-out commands invalidate the session on the server.  Upon the logout request, be it a parameter or URL, one must review the code to ensure the session is invalidated.
  
'''Example for session invalidate:'''
+
'''Example for Session Invalidate:'''
 
 
 
  import java.io.*;
 
  import java.io.*;
 
  import javax.servlet.*;
 
  import javax.servlet.*;
 
  import javax.servlet.http.*;
 
  import javax.servlet.http.*;
 
  import java.sql.*;
 
  import java.sql.*;
  public class doLogout extends HttpServlet
+
  public class <font color="red">doLogout</font> extends HttpServlet
{
+
    {
public void doGet(HttpServletRequest req,HttpServletResponse res)throws ServletException,IOException
+
          public void doGet(HttpServletRequest req,HttpServletResponse res)throws ServletException,IOException
{
+
          {
        res.setContentType("text/html");
+
              res.setContentType("text/html");
        HttpSession ses =req.getSession();
+
              HttpSession ses =req.getSession();
        ses.removeValue("Login");
+
              ses.removeValue("Login");
        ses.removeValue("password");
+
              ses.removeValue("password");
        ses.invalidate();
+
              ses.invalidate();
          res.sendRedirect("http://company.com/servlets/login.html");
+
              res.sendRedirect("http://company.com/servlets/login.html");
}
+
          }
}
+
    }
  
  
 
===Related Vulnerabilities===
 
===Related Vulnerabilities===
 
 
*[[Reviewing Code for Data Validation]]
 
*[[Reviewing Code for Data Validation]]
 
*[[Reviewing code for XSS issues]]
 
*[[Reviewing code for XSS issues]]
Line 55: Line 52:
 
*[[Reviewing Code for Authentication]]
 
*[[Reviewing Code for Authentication]]
 
*[[Reviewing Code for Session Integrity issues]]
 
*[[Reviewing Code for Session Integrity issues]]
 +
 +
==Related Security Activities==
 +
 +
===Description of Session Management Vulnerabilities===
 +
 +
See the OWASP articles on [[:Category:Session Management Vulnerability|Session Management Vulnerabilities]].
 +
 +
===Description of Session Management Countermeasures===
 +
 +
See the OWASP articles on [[:Category:Session Management|Session Management Countermeasures]].
 +
 +
===How to Avoid Session Management Vulnerabilities===
 +
 +
See the [[:Category:OWASP Guide Project|OWASP Development Guide]] article on how to [[Session Management|Avoid Session Management]] Vulnerabilities.
 +
 +
===How to Test for Session Management Vulnerabilities===
 +
 +
See the [[:Category:OWASP Testing Project|OWASP Testing Guide]] article on how to [[Testing for Session Management|Test for Session Management]] Vulnerabilities.
 +
 +
{{LinkBar
 +
  | useprev=PrevLink | prev=Codereview-Authorization | lblprev=Authorization
 +
  | usemain=MainLink | main=OWASP Code Review Guide Table of Contents | lblmain=Table of Contents
 +
  | usenext=NextLink | next=Codereview-Input Validation | lblnext=Input Validation
 +
}}
 +
 +
[[Category:OWASP Code Review Project]]

Latest revision as of 15:56, 9 September 2010

««Authorization«« Main
(Table of Contents)
»»Input Validation»»

Description

Session management from a code review perspective should focus on the creation, renewal, and destruction of a user’s session throughout the application. The code review process should ensure the following:

Session ID
Authenticated users should have a robust and cryptographically secure association with their session. The session identifier (Session ID) should not be predictable, and generation of such should be left to the underlying framework. The development effort to produce a session with sufficient entropy is subject to errors, and best left to tried and trusted methods.

Authorization

  • Applications should check if the session is valid prior to servicing any user requests. The user's session object may also hold authorization data.
  • Session ID should be applied to a new user upon successful authentication.
  • Reviewing the code to identify where sessions are created and invalidated is important. A user should be assigned a new unique session once authenticated to mitigate session fixation attacks.
  • Sessions may need to be terminated upon authorization failures. If a logical condition exists which is not possible, unless the state transition is circumvented or an obvious attempt to escalate privileges, a session should be terminated.

Session Transport
Applications avoid or prevent common web attacks, such as replay, request forging, and man-in-the-middle.

  • Session identifiers should be passed to the user in a secure manner such as not using HTTP GET with the session ID being placed in the query string. Such data (query string) is logged in web server logs.
  • Cookie transport should be performed over a secure channel. Review the code in relation to cookie manipulation. Verify if the secure flag is set. This prevents the cookie being transported over a non-secure channel.

Session Lifecycle

  • Session Timeout - Sessions should have a defined inactivity timeout and also in some cases a session hard-limit. The code review should examine such session settings. They may be defined in configuration files or in the code itself. Hard limits shall kill a session regardless of session activity.
  • The log-out commands must do more that simply kill the browser. Review the code to verify that log-out commands invalidate the session on the server. Upon the logout request, be it a parameter or URL, one must review the code to ensure the session is invalidated.

Example for Session Invalidate:

import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.sql.*;
public class doLogout extends HttpServlet
    {
         public void doGet(HttpServletRequest req,HttpServletResponse res)throws ServletException,IOException
         {
              res.setContentType("text/html");
              HttpSession ses =req.getSession(); 	
              ses.removeValue("Login");
              ses.removeValue("password");
              ses.invalidate();	 				 
              res.sendRedirect("http://company.com/servlets/login.html");			
         }	
    }


Related Vulnerabilities

Related Security Activities

Description of Session Management Vulnerabilities

See the OWASP articles on Session Management Vulnerabilities.

Description of Session Management Countermeasures

See the OWASP articles on Session Management Countermeasures.

How to Avoid Session Management Vulnerabilities

See the OWASP Development Guide article on how to Avoid Session Management Vulnerabilities.

How to Test for Session Management Vulnerabilities

See the OWASP Testing Guide article on how to Test for Session Management Vulnerabilities.


««Authorization«« Main
(Table of Contents)
»»Input Validation»»