ESAPI Session Management

Revision as of 09:45, 11 December 2008 by Ljin (talk | contribs) (Feature Overview)

Jump to: navigation, search

Feature Overview

  • Be able to distinguish initial login and subsequent login after session timeout (working)
  • To Change session ID after a successful login with optional session content replication so that a timed out user can continue where he/she has left off (working)
  • Safe session management functions that will reject invalid session requests. For example, a request for session contents on an expired session should be rejected until the session is reactivated.


Possible Enhancements

  • Add a secure form tag that does CSRF as well as other form protections like autocomplete
  • Separate session management API and CSRF from the Authentication and HTTP utilities
  • Add a flag to the changeSessionIdentifier method to not copy session content