Testing for Session Management

 4.5 Session Management Testing

At the core of any web-based application is the way in which it maintains state and thereby controls user-interaction with the site. Session Management broadly covers all controls on a user from authentication to leaving the application. HTTP is a stateless protocol, meaning that web servers respond to client requests without linking them to each other. Even simple application logic requires a user's multiple requests to be associated with each other across a "session”. This necessitates third party solutions – through either Off-The-Shelf (OTS) middleware and web server solutions, or bespoke developer implementations.  Most popular web application environments, such as ASP and PHP, provide developers with built-in session handling routines. Some kind of identification token will typically be issued, which will be referred to as a “Session ID” or Cookie. There are a number of ways in which a web application may interact with a user.  Each is dependent upon the nature of the site, the security, and availability requirements of the application. Whilst there are accepted best practices for application development, such as those outlined in the OWASP Guide to Building Secure Web Applications, it is important that application security is considered within the context of the provider’s requirements and expectations. In this chapter we describe the following items.

4.7.1 Testing for Bypassing Session Management Schema (OTG-SESS-001)

4.7.2 Testing for Cookies attributes (OTG-SESS-002)

4.7.3 Testing for Session Fixation (OTG-SESS-003)

4.7.4 Testing for Exposed Session Variables (OTG-SESS-004)

4.7.5 Testing for Cross Site Request Forgery (CSRF) (OTG-SESS-005)

4.7.6 Testing for logout functionality (OTG-SESS-007)

4.7.7 Test Session Timeout (OTG-SESS-008)

4.7.8 Testing for Session puzzling (OTG-SESS-010)