Thursday 15 July 2010

Session Management - Some Good Practices

Updated: April 9th 2012. Mainly addition of new HTTP headers to reflect developments over the last year or so.
"Broken Authentication and Session Management" is in at number 3 in the OWASP Top 10 - 2010 (up from number 7 in OWASP Top 10 - 2007). So here are a few good practices for managing sessions:
  • Mark session cookies as secure
  • Set the HTTPOnly flag on session cookies
  • Generate a new session cookie on successful logon
  • Have a Logout button on all pages where the session is authenticated. This should terminate the session.
  • Set the AUTOCOMPLETE to off on sensitive HTML fields/forms such as credit card numbers:
  • Use the http meta refresh for browser timeouts. This will redirect to a timeout page after a period of inactivity:
    <meta http-equiv="refresh" content="300;url=timeoutpage " />
  • Set caching parameters to prevent sensitive data from being left on browser
    1. Pragma: no-cache
    2. Cache-Control: no-cache
    3. Expires: -1
These are some other useful HTTP headers, which may or may not be supported by your user's browsers. Many of these are easy security wins. Set them once and forget about them and they should not have any negative impact. You need to find out how to implement them in your environment.
  • Strict Transport Security - STS. This forces the browser to use SSL/TLS when connecting.
  • X-Frame-Options: DENY or SAMEORIGIN. These control the handling of frames.
  • X-XSS-Protection is a Microsoft Internet Explorer option aimed at helping to prevent XSS attacks in IE
  • X-Content-Type-Options: nosniff  This tells the browser not to try and guess the content type of responses. However, your application should always set the proper content type in its responses.
  • Content Security Policy - CSP.  This is aimed at preventing XSS. Essentially it tells browsers where content can be loaded from.  This is a very useful addition, but does require some effort to understand and implement correctly.
For details on how to implement them in your environment, use your favourite search engine.

Useful Links

Social: DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot


  1. Why do you recommend to terminate session after logout?

  2. Hi, I think it is good practice to make sure that the session is terminated as part of the logout process.

  3. Hi
    There is also a memory benefit to invalidating sessions as well as a security benefit. In java session.invalidate makes the object available for garbage collection, that can be significant if you have a high volume site and session expiry of 30 minutes(30 is the default for most j2ee app servers)