Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: Session security with cookies

RE: Session security with cookies

From: Jeffory Atkinson <jatkinson_at_zelvin.com>
Date: Tue, 4 Dec 2007 13:46:57 -0500

Till,
Here are some factors that you will want to ensure.
-Session token is delivered after authentication
-Each session token is unique and not predictable (requiring a strong
random token generator)
-Session token is transfer over an encrypted tunnel
-Session token is marked secure
-Ensure the session is terminated at logout
-Ensure the session times out in a reasonable amount of time
-All access control should be based on the user's session token and only
the session token
Optional
        Don't allow concurrent sessions.
        Don't allow IP hopping. (Changing of IP address mid session.)

There are more details that I am sure that someone one the list will
help fill in for you. But I believe these are a good start.

-----Original Message-----
From: listbounce_at_securityfocus.com [mailto:listbounce_at_securityfocus.com]
On Behalf Of Till Elsner
Sent: Monday, December 03, 2007 6:32 PM
To: webappsec_at_securityfocus.com
Subject: Session security with cookies

Hi, i'm investigating in web application security this time and i'm
trying to find some information about session management with cookies
and related security issues. Can anyone point me to tips on how to
make cookie based sessions more secure and how to prevent session
hijacking? How secure is session handling using cookies and what are
the main risks? Is anyone aware of good literature on that topic?
Thanks and have a nice day
Till

------------------------------------------------------------------------
-
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web
application security assessments should be considered a crucial phase in
the development of any web application. What methodology should be
followed? What tools can accelerate the assessment process? Download
this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
------------------------------------------------------------------------
-

-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
Received on Dec 04 2007

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos