Difference between revisions of "Codereview-Session-Management"

From OWASP
Jump to: navigation, search
(Description)
(Description)
Line 39: Line 39:
 
'''Session Transport'''
 
'''Session Transport'''
 
*Applications avoid or prevent common web attacks, such as replay, request forging and man-in-the-middle.
 
*Applications avoid or prevent common web attacks, such as replay, request forging and man-in-the-middle.
Session identifiers should be passed to the user in a secure manner such as not using HTTP GET with the session ID being placed in the query string. - Such data (query string) is logged in web server logs.  
+
Session identifiers should be passed to the user in a secure manner such as not using HTTP GET with the session ID being placed in the query string. Such data (query string) is logged in web server logs.  
**Cookie tansport should be perfromed over a secure channel. Review the code in relation to cookie manipulation. Verify is the secure flag is set. This prevents the cookie being transported over a non secure channel.
+
**Cookie transport should be perfromed over a secure channel. Review the code in relation to cookie manipulation. Verify is the secure flag is set. This prevents the cookie being transported over a non secure channel.
  
 
'''Session lifecycle'''
 
'''Session lifecycle'''

Revision as of 15:47, 15 August 2008

Introduction

OWASP Code Review Guide Table of Contents

Contents


Related Security Activities

Description of Session Management Vulnerabilities

See the OWASP articles on Session Management Vulnerabilities.

Description of Session Management Countermeasures

See the OWASP articles on Session Management Countermeasures.

How to Avoid Session Management Vulnerabilities

See the OWASP Guide article on how to Avoid Session Management Vulnerabilities.

How to Test for Session Management Vulnerabilities

See the OWASP Testing Guide article on how to Test for Session Management Vulnerabilities.

Description

Session management from a code review perspective should focus on the creation, renewal, and destruction of a user's session throughout the application. The code review process should ensure the following:

Session ID:

  • Authenticated users have a robust and cryptographically secure association with their session.
  • The session identifier (Session ID) shoud not be predictable and generation of such should be left to the underlaying framework. The development effort to produce a session with sufficient entrophy is subject to errors and best left to tried and trusted methods.

Authorization:

  • Applications enforce authorization checks
  • Applications should check if the session is valid prior to servicing any user requests. The user's session object may also hold authorization data.
    • Session ID should be applied to a new user upon successful authentication.
    • Reviewing the code to identify where sessions are created and invalidated is important.
    • Sessions may need to be terminated upon authorization failures. If a logical condition exists which is not pssible unless the state transition is circumvented or an obvious attempt to escalate privlidges, a session should be terminated.

Session Transport

  • Applications avoid or prevent common web attacks, such as replay, request forging and man-in-the-middle.

Session identifiers should be passed to the user in a secure manner such as not using HTTP GET with the session ID being placed in the query string. Such data (query string) is logged in web server logs.

    • Cookie transport should be perfromed over a secure channel. Review the code in relation to cookie manipulation. Verify is the secure flag is set. This prevents the cookie being transported over a non secure channel.

Session lifecycle

  • Session Timeout- Sessions should have a defined inactivity timeout and also in some cases a session hardlimit. The code review should examine such session settings. They may be defined in configuration files or in the code itself. Hard limits shall kill a session regardless of session activity.
    • The log-out commands must do more that simply kill the browser. Review the code to verify that log-out commands invalidate the session on the server.

Related vunlerabilities