Difference between revisions of "ESAPI Session Management"

From OWASP
Jump to: navigation, search
(Possible Enhancements)
 
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
== Feature Overview ==
+
== Feature Overview (in Version 2.0)==
 +
 
 +
* Be able to distinguish initial login and subsequent login after session timeout (working)
 +
 
 +
* To Change session ID after a successful login with optional session content replication so that a timed out user can continue where he/she has left off (working)
 +
 
 +
* Safe session management functions that will reject invalid session requests. For example, a request for session contents on an expired session should be rejected until the session is reactivated.
 +
 
 +
* Automatic CSRF token validation in a centralized location.
 +
 
 +
* A collection of anti-CSRF tags that can automatically incorporate CSRF token in forms when used in JSP pages
 +
 
  
 
TODO
 
TODO
Line 8: Line 19:
  
 
* Separate session management API and CSRF from the Authentication and HTTP utilities
 
* Separate session management API and CSRF from the Authentication and HTTP utilities
 +
 +
* Add a flag to the changeSessionIdentifier method to not copy session content
 +
 +
* Consider whether ESAPI can provide CSRF protection without the User object - can we break the dependency

Latest revision as of 21:23, 27 December 2008

Feature Overview (in Version 2.0)

  • Be able to distinguish initial login and subsequent login after session timeout (working)
  • To Change session ID after a successful login with optional session content replication so that a timed out user can continue where he/she has left off (working)
  • Safe session management functions that will reject invalid session requests. For example, a request for session contents on an expired session should be rejected until the session is reactivated.
  • Automatic CSRF token validation in a centralized location.
  • A collection of anti-CSRF tags that can automatically incorporate CSRF token in forms when used in JSP pages


TODO

Possible Enhancements

  • Add a secure form tag that does CSRF as well as other form protections like autocomplete
  • Separate session management API and CSRF from the Authentication and HTTP utilities
  • Add a flag to the changeSessionIdentifier method to not copy session content
  • Consider whether ESAPI can provide CSRF protection without the User object - can we break the dependency