Session Management Library

From OWASP
Revision as of 04:20, 17 July 2013 by Rahul Chaudhary (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Contents

Session Management Library

Introduction

A session management library is used to manage multiple sessions. Sessions are used in web-application to store some user data. Since HTTP connections are connection-less, the application needs a way to associate all transactions to its user to make the application dynamic in nature. For e.g. take the scenario of an online marketing website selling some goods. This application has many customs and they do a lot of transaction. Since the HTTP connection is connection-less, the application cannot differentiate between each connection and cannot know what the user did previously. Hence sessions are used on top of the HTTP protocol to remember data about clients. In sessions, during the client-server handshake process, the server allocates an unique ID to the client. After the first connection, the client can produce this ID to the server so that the server can pull records from the application about this user. This way the servers associate transactions with users in an application.

        With many users (each user can have multiple sessions) the task of keeping track of sessions, storing and retrieving data, expiring sessions, etc. become a challenging task. This is where "Session Management Library" steps in. Its sole purpose is to look and manage sessions in an application so that security risks can be mitigated from the abusive and careless use of sessions.


Problems with Sessions

There is no denying that sessions give applications huge amount of power. But with great power comes great responsibility. Hence its important to keep the sessions safe. Failing to do so creates security holes in the application so severe that security of the whole application can be compromised. There are many reasons to keep the sessions safe:

  • Sessions represents a user identity. If these gets leaked, then an attacker can pose as a legitimate client and can ask server for user data.
  • Several attacks such as "Session Hijacking" and "Session Fixation" persists.
  • Sessions often are used with cookies. So session automatically is vulnerable to cookie attacks.


PHPSEC Session Management Implementation



Other Helpful Links: