"Broken Authentication and Session Management" is in at number 3 in the OWASP Top 10 - 2010 (up from number 7 in OWASP Top 10 - 2007). So here are a few good practices for managing sessions:
- Mark session cookies as secure
- Set the HTTPOnly flag on session cookies
- Generate a new session cookie on successful logon
- Have a Logout button on all pages where the session is authenticated. This should terminate the session.
- Set the AUTOCOMPLETE to off on sensitive HTML fields/forms such as credit card numbers:
<INPUT NAME="name" AUTOCOMPLETE=OFF> - Use the http meta refresh for browser timeouts. This will redirect to a timeout page after a period of inactivity:
<meta http-equiv="refresh" content="300;url=timeoutpage " /> - Set caching parameters to prevent sensitive data from being left on browser
- Pragma: no-cache
- Cache-Control: no-cache
- Expires: -1
- Strict Transport Security - STS. This forces the browser to use SSL/TLS when connecting.
- X-Frame-Options: DENY or SAMEORIGIN. These control the handling of frames.
- X-XSS-Protection is a Microsoft Internet Explorer option aimed at helping to prevent XSS attacks in IE
- X-Content-Type-Options: nosniff This tells the browser not to try and guess the content type of responses. However, your application should always set the proper content type in its responses.
- Content Security Policy - CSP. This is aimed at preventing XSS. Essentially it tells browsers where content can be loaded from. This is a very useful addition, but does require some effort to understand and implement correctly.
Useful Links
- Wikipedia: Strict Transport Security - STS
- Mozilla X-Frame-Options
- Microsoft IE Internals X-XSS-Protection
- Microsoft X-Content-Type-Options
- W3 Content Security Policy Specification
- OWASP Session Management Cheat Sheet
Social: del.icio.us DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot
Why do you recommend to terminate session after logout?
ReplyDeleteSecurity testing is must. Everybody wants security at every level of his working. as explained above failures are happened but if we test time to time then it will improve. So it depend on us how much we are serious about this.
DeleteSmart Sensor SoC architecture for the Industrial Internet of Things Project For CSE
A Heuristic Statistical Testing Based Approach for Encrypted Network Traffic Identification Project For CSE
A New Enhanced Energy Detector Based FM DCSK UWB System for Tactile Internet Project For CSE
A Secure AMR Fixed Code book Stenographic Scheme Based on Pulse Distribution Model Project For CSE
A Survey on Model based Distributed Control and Filtering for Industrial Cyber Physical Systems Project For CSE
Building Redactable Consortium Blockchain for Industrial Internet of Things Project For CSE
Hi, I think it is good practice to make sure that the session is terminated as part of the logout process.
ReplyDeleteHi
ReplyDeleteThere is also a memory benefit to invalidating sessions as well as a security benefit. In java session.invalidate makes the object available for garbage collection, that can be significant if you have a high volume site and session expiry of 30 minutes(30 is the default for most j2ee app servers)