Session Management

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Session hijacking

An attack in which an attacker attempts to impersonate the user by using their session token which they sniffed out Happens when HTTP is used over HTTPS

What does marking the session cookies as HTTP Only do?

Prevents client code from accessing cookie Helps prevent XSS attacks

web session

a sequence of network HTTP request and response transactions associated to the same user

HTTP

stateless protocol where each request and response pair is independent of other web interactions.

Session fixation attack

Attacker logs into web server and gets a session ID Takes that session ID and uses it in link and sends it to victim Attacker later uses the session ID

What does avoiding setting values for Max-Age and expires do?

Ensures browser will remove cookie when browser is shut down Setting either value causes browser to treat cookies as "persistent" cookie

Session Identifier defense (GLD3)

Generate unique session IDs in a random (un-guessable) order Limit caching of session info through restrictive cache directives Do not reuse session IDs Distinguish btw "session" identifiers generated prior to and after user authentication (Always generate a new identifier after login) Do not expose session IDs in app URLs

Examples of Poor Session Lifecycle Management

Guessable session IDs Not destroying session when session is over Reusing and exposing sessions

Session Lifecycle Management Best Practices (TADA)

Tie audit events to the user session Automatically end/expire sessions after periods of user inactivity Do not allow infinitely-lived sessions (even w. no user activity) Always offer users a "log-out" option (Do not rely on expiry alone and do not assume users know how to close the browser)

cookies

allows the server to identify the user and retrieve the user's session from the session database so that the user's session is maintained Cookie based sessions end when user logs off or closes the browser

session ID/token

binds user authentication credentials (in form of a user session) to the user HTTP traffic and the appropriate access controls enforced by the web application

What does marking the session cookies as Secure do?

instructs browser to send cookie with HTTPS requests only prevents eavesdropping

best practices for cookies

mark session cookies as Secure and HTTP Only Avoid setting values for Max-Age and expires


Ensembles d'études connexes

Basic Nutrition Practice Quiz #1

View Set

Chapter 8 - Public Health Policy

View Set

HISTORY MODULE FIVE TEST, 10 History 5.16.2 Module 5 Quiz 2, 10 History 5.15.4 Module 5 Quiz 1, 10 History Module 4 Quiz 1, 10 History 3.10.4 Module 3, Quiz 3 Review, 10 History 3.9.5 Module 3 Quiz 2 Review, 10 History 3.8.7 would be for week 8 Test...

View Set

The Grand Empire: Spread of the Revolution

View Set

Property & Casualty Practice Exam: Commercial Lines

View Set

Chapter 12 - Central Nervous System Part 1

View Set

A&P Chapter 11: Muscular System: Axial and Appendicular Muscles

View Set