This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Reviewing Code for Session Integrity issues

From OWASP
Revision as of 16:21, 6 September 2007 by EoinKeary (talk | contribs)

Jump to: navigation, search
OWASP Code Review Guide Table of Contents

Introduction

How to locate the potentially vulnerable code

Session Tracking/Management Techniques

HTML Hidden Field

The HTML Hidden field could be used to perform session tracking. Upon each HTTP POST request the hidden field is passed to the server identifying the user. It would be in the form of 

<INPUT TYPE="hidden" NAME="user"VALUE="User001928394857738000094857hfduekjkksowie039848jej393">


Server-side code is used to perfrom validation on the VALUE in order to ensure the used is valid. This approach can only be used for POST/Form requests.

URL Rewriting

URL rewriting approaches session tracking by appending a unique id pertaining to the user at the end of the URL. 

<A HREF="/smackmenow.htm?user=User001928394857738000094857hfduekjkksowie039848jej393">Click Here</A>


Cookies

Cookies were invented by netscape as a way of keeping state when using the stateless protocol HTTP. Commonly used for maintaining state but must be careful not to store any sensitive information in a cookie.


Persistant Cookies

State information and cookies

Leading Practice Patterns for Session Management/Integrity

HTTPOnly Cookie: Prevents cookie access via client side script. Not all browsers support such a directive.

Related Articles

http://www.owasp.org/index.php/Category:OWASP_Cookies_Database http://msdn2.microsoft.com/en-us/library/ms533046.aspx http://java.sun.com/j2ee/sdk_1.3/techdocs/api/javax/servlet/http/Cookie.html

Retrieved from "https://wiki.owasp.org/index.php?title=Reviewing_Code_for_Session_Integrity_issues&oldid=21497"