Category:WASS Session Managment

From OWASP
Revision as of 23:22, 18 May 2006 by MikeAndrews (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Take measures to securely manage user identification.

Because HTTP is a stateless protocol, applications have to provide a mechanism where users are uniquely identified, and their current status in the system is preserved between operations. This can be achieved by providing each user with an identifier that follows them through the application. Protection of this identifier is very important because if its value is discovered, an attacker can masquerade as another user and access information or perform operations on his/her behalf.

  1. The single, unique, user identifier should meet the following requirements.
    1. Generated each time a user logs in
    2. Destroyed and reset to have no permission when a user logs off
    3. Generated based on a pseudo-random number generation scheme with good entropy
    4. Should be of a reasonable length such that it can not be guessed during the expected period of validity (or lifetime).
    5. Becomes invalid (sessions should time out) after a reasonable period of inactivity
    6. Users should not be allowed to request a specific identifier
  2. Identifiers should be transmitted over a secure connection
  3. Identifiers should be managed ONLY on the server-side.

This category currently contains no pages or media.