Scribd Logo
Upload

Welcome to Scribd!

  • Session Management Cheat Sheet

    Uploaded by

    Roman Potapov
    46 views2 pages
    Session management allows web applications to retain user information across multiple requests by establishing variables that apply for the duration of the session. A session ID is used to identify the user and is exchanged via mechanisms like cookies, HTML5 web storage, or web workers. Session IDs have properties like length and entropy that impact their security. Sessions expire automatically after periods of inactivity or absolutely, and can also be expired manually through logout buttons. Detection of session attacks and strict management of session IDs' life cycle help secure the session.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Session management allows web applications to retain user information across multiple requests by establishing variables that apply for the duration of the session. A session ID is used to identify the user and is exchanged via mechanisms like cookies, HTML5 web storage, or web workers. Session IDs have properties like length and entropy that impact their security. Sessions expire automatically after periods of inactivity or absolutely, and can also be expired manually through logout buttons. Detection of session attacks and strict management of session IDs' life cycle help secure the session.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    46 views2 pages

    Session Management Cheat Sheet

    Uploaded by

    Roman Potapov
    Session management allows web applications to retain user information across multiple requests by establishing variables that apply for the duration of the session. A session ID is used to identify the user and is exchanged via mechanisms like cookies, HTML5 web storage, or web workers. Session IDs have properties like length and entropy that impact their security. Sessions expire automatically after periods of inactivity or absolutely, and can also be expired manually through logout buttons. Detection of session attacks and strict management of session IDs' life cycle help secure the session.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    Session Management Cheat Sheet

    A web session is a sequence of network HTTP request and response transactions associated
    with the same user. Modern and complex web applications require the retaining of information
    or status about each user for the duration of multiple requests. Therefore, sessions provide the
    ability to establish variables – such as access rights and localization settings – which will apply to
    each and every interaction a user has with the web application for the duration of the session.

    Session ID Properties
    Session ID Name Fingerprinting
    Session ID Length (128bit – min)
    Session ID Entropy (64char)
    Session ID Content (or Value)

    Session Management Implementation¶


    Built-in Session Management Implementations
    Used vs. Accepted Session ID Exchange Mechanisms
    Transport Layer Security

    Cookies
    The session ID exchange mechanism based on cookies provides multiple security features in the
    form of cookie attributes that can be used to protect the exchange of the session ID.

     Secure Attribute
     HttpOnly Attribute
     SameSite Attribute
     Domain and Path Attributes
     Expire and Max-Age Attributes

    HTML5 Web Storage API


    The localStorage API
    Scope
    Duration
    Offline Access
    Use Case
    The sessionStorage API
    Scope
    Duration
    Offline Access
    Use Case

    Web Workers
    Use Case

    Session ID Life Cycle


    Session ID Generation and Verification: Permissive and Strict Session Management
    Manage Session ID as Any Other User Input
    Renew the Session ID After Any Privilege Level Change
    Considerations When Using Multiple Cookies

    Session Expiration
    Automatic Session Expiration
    Idle Timeout
    Absolute Timeout
    Renewal Timeout

    Manual Session Expiration


    Logout Button
    Web Content Caching
    Additional Client-Side Defenses for Session Management
    Initial Login Timeout
    Force Session Logout On Web Browser Window Close Events
    Disable Web Browser Cross-Tab Sessions
    Automatic Client Logout

    Session Attacks Detection


    Session ID Guessing and Brute Force Detection
    Detecting Session ID Anomalies
    Binding the Session ID to Other User Properties
    Logging Sessions Life Cycle: Monitoring Creation, Usage, and Destruction of Session IDs
    Simultaneous Session Logons
    Session Management WAF Protections

    You might also like