This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Session Management Framework

From OWASP
Jump to: navigation, search

Session Management Framework

Overview

Session management is an important underlying function in modern web applications. Keeping sessions secure is one of the most important things a framework must do to ensure that applications built on that framework do not suffer from security flaws.

Session Data

Session data should be stored server-side and never transmitted to the client unless necessary. The framework should also provide a simple and easy way for the developer to access, add, delete, or modify session data.

Session ID

Generating

The session ID should always be generated by the framework, and no other party should be able to manually select a session ID. The ID should be generated in a crytographically strong fashion. The session ID should always be generated based on random numbers, and it should never be created with any session specific or environment specific data.

Storage

The Session ID should be stored in a cookie which the client then submits to the server with every request. This cookie should have the HTTPONLY and SECURE flags set by default.

The framework should also provide an easy way for the developer to change the name of the session ID cookie to a custom value to avoid fingerprinting.

Cookie rewriting

URL rewriting is not recommended.

Ending a session

The framework should provide a simple method for a developer to remove a session. When that function is called, the session data itself should be purged from server memory, the session ID should no longer be kept as a valid ID, and the cookie should be removed from the client browser.