WebApp Sec mailing list archives

RE: Session security with cookies


From: "Jeffory Atkinson" <jatkinson () zelvin com>
Date: Tue, 4 Dec 2007 13:46:57 -0500

Till,
Here are some factors that you will want to ensure. 
-Session token is delivered after authentication
-Each session token is unique and not predictable (requiring a strong
random token generator)  
-Session token is transfer over an encrypted tunnel
-Session token is marked secure
-Ensure the session is terminated at logout
-Ensure the session times out in a reasonable amount of time
-All access control should be based on the user's session token and only
the session token
Optional
        Don't allow concurrent sessions.
        Don't allow IP hopping. (Changing of IP address mid session.)

There are more details that I am sure that someone one the list will
help fill in for you. But I believe these are a good start.  


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Till Elsner
Sent: Monday, December 03, 2007 6:32 PM
To: webappsec () securityfocus com
Subject: Session security with cookies

Hi, i'm investigating in web application security this time and i'm  
trying to find some information about session management with cookies  
and related security issues. Can anyone point me to tips on how to  
make cookie based sessions more secure and how to prevent session  
hijacking? How secure is session handling using cookies and what are  
the main risks? Is anyone aware of good literature on that topic?
Thanks and have a nice day
Till

------------------------------------------------------------------------
-
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web
application security assessments should be considered a crucial phase in
the development of any web application. What methodology should be
followed? What tools can accelerate the assessment process? Download
this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
------------------------------------------------------------------------
-



-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------


Current thread: