SSD Q6

which of the following is not correct about web session? - a session is a random token generated dynamically - a session can be used to save user preference while visiting to a website - A session is not needed for HTTP web applications requiring establishing user privilege level and list of permitted funcationalities - None of the above

A session is not needed for HTTP web applications requiring establishing user privilege level and list of permitted funcationalities

T/F In JSP programming, to use the HttpSession object, the programmer needs to instantiate an object to begin storing and retrieving data from the object.

False

To answer this question, you need to go to http://php.net/manual/en/function.session-start.php Is the statement below true/false? session_start() destroys a session if a current one already exists that may be obtained via a GET or POST request, or passed via a cookie.

False

In the JSP program below, which line will retrieve the last visit count? 1. <% 2. // Get session creation time. 3. Date createTime = new Date(session.getCreationTime()); 4. // Get last access time of this Webpage. 5. Date lastAccessTime = new Date(session.getLastAccessedTime()); 6. String title = "Welcome Back to my website"; 7. Integer visitCount = new Integer(0); 8. String visitCountKey = new String("visitCount"); 9. String userIDKey = new String("userID"); 10. String userID = new String("ABCD"); 11. // Check if this is new comer on your Webpage. 12. if (session.isNew() ){ 13. title = "Welcome to my website"; 14. session.setAttribute(userIDKey, userID); 15. session.setAttribute(visitCountKey, visitCount); 16. } 17. visitCount = (Integer)session.getAttribute(visitCountKey); 18. visitCount = visitCount + 1; 19. userID = (String)session.getAttribute(userIDKey); 20. session.setAttribute(visitCountKey, visitCount); 21. %>

Line 17

Which of the following is not a best programming practice for preventing session hijacking/stealing attacks? - Name session id based on user name or user password. - Use a long and random session id. - Do not use default session id provided by web program development framework. - Set an explicit expiration time for each session created and send to client side via cookie header.

Name session id based on user name or user password.

The following HTML code is an example of suspected ____ type attack. ************************* <meta http-equiv="Set-Cookie" content= "PHPSESSID=abcdef; path=http://www.xyz.com; expires=Saturday, 15-June-15 08:20:00 GMT">

session fixation

T/F In PHP, isset($_SESSION['xyz']) method returns true if there already exists a session with token "xyz".

true