Thursday, 15 July 2010

Session Management - Some Good Practices

Updated: April 9th 2012. Mainly addition of new HTTP headers to reflect developments over the last year or so.
 
"Broken Authentication and Session Management" is in at number 3 in the OWASP Top 10 - 2010 (up from number 7 in OWASP Top 10 - 2007). So here are a few good practices for managing sessions:
  • Mark session cookies as secure
  • Set the HTTPOnly flag on session cookies
  • Generate a new session cookie on successful logon
  • Have a Logout button on all pages where the session is authenticated. This should terminate the session.
  • Set the AUTOCOMPLETE to off on sensitive HTML fields/forms such as credit card numbers:
    <INPUT NAME="name" AUTOCOMPLETE=OFF>
  • Use the http meta refresh for browser timeouts. This will redirect to a timeout page after a period of inactivity:
    <meta http-equiv="refresh" content="300;url=timeoutpage " />
  • Set caching parameters to prevent sensitive data from being left on browser
    1. Pragma: no-cache
    2. Cache-Control: no-cache
    3. Expires: -1
These are some other useful HTTP headers, which may or may not be supported by your user's browsers. Many of these are easy security wins. Set them once and forget about them and they should not have any negative impact. You need to find out how to implement them in your environment.
  • Strict Transport Security - STS. This forces the browser to use SSL/TLS when connecting.
  • X-Frame-Options: DENY or SAMEORIGIN. These control the handling of frames.
  • X-XSS-Protection is a Microsoft Internet Explorer option aimed at helping to prevent XSS attacks in IE
  • X-Content-Type-Options: nosniff  This tells the browser not to try and guess the content type of responses. However, your application should always set the proper content type in its responses.
  • Content Security Policy - CSP.  This is aimed at preventing XSS. Essentially it tells browsers where content can be loaded from.  This is a very useful addition, but does require some effort to understand and implement correctly.
For details on how to implement them in your environment, use your favourite search engine.

Useful Links

Social: del.icio.us DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot

Posted by alexisfitzg at 18:56
Labels:

6 comments:

  1. Anonymous5 April 2012 at 23:57

    Why do you recommend to terminate session after logout?

    ReplyDelete
  2. alexisfitzg6 April 2012 at 09:22

    Hi, I think it is good practice to make sure that the session is terminated as part of the logout process.

    ReplyDelete
  3. Brian Hennessy30 May 2012 at 13:29

    Hi
    There is also a memory benefit to invalidating sessions as well as a security benefit. In java session.invalidate makes the object available for garbage collection, that can be significant if you have a high volume site and session expiry of 30 minutes(30 is the default for most j2ee app servers)

    ReplyDelete
  4. Habib21 June 2026 at 07:14

    Joyfully simple yet powerful, easybcd helps users manage boot entries with minimal effort. The tool remains stable, fast, and extremely useful for system configuration.

    ReplyDelete
  5. Luna21 June 2026 at 08:30

    Insightful I appreciate the convenience that crystaldiskmark brings to storage benchmarking and performance assessment Tasks are simple to perform results remain consistent and analysis requires minimal effort It enables users to understand drive capabilities with confidence.

    ReplyDelete
  6. Nikolay21 June 2026 at 08:37

    Tastefully designed for better usability, winsetupfromusb provides easy and effective bootable USB creation features. The software remains stable, user friendly, and highly dependable.

    ReplyDelete

Subscribe to: Post Comments (Atom)