"Broken Authentication and Session Management" is in at number 3 in the OWASP Top 10 - 2010 (up from number 7 in OWASP Top 10 - 2007). So here are a few good practices for managing sessions:
- Mark session cookies as secure
- Set the HTTPOnly flag on session cookies
- Generate a new session cookie on successful logon
- Have a Logout button on all pages where the session is authenticated. This should terminate the session.
- Set the AUTOCOMPLETE to off on sensitive HTML fields/forms such as credit card numbers:
<INPUT NAME="name" AUTOCOMPLETE=OFF>
- Use the http meta refresh for browser timeouts. This will redirect to a timeout page after a period of inactivity:
<meta http-equiv="refresh" content="300;url=timeoutpage " />
- Set caching parameters to prevent sensitive data from being left on browser
- Pragma: no-cache
- Cache-Control: no-cache
- Expires: -1
- Strict Transport Security - STS. This forces the browser to use SSL/TLS when connecting.
- X-Frame-Options: DENY or SAMEORIGIN. These control the handling of frames.
- X-XSS-Protection is a Microsoft Internet Explorer option aimed at helping to prevent XSS attacks in IE
- X-Content-Type-Options: nosniff This tells the browser not to try and guess the content type of responses. However, your application should always set the proper content type in its responses.
- Content Security Policy - CSP. This is aimed at preventing XSS. Essentially it tells browsers where content can be loaded from. This is a very useful addition, but does require some effort to understand and implement correctly.
- Wikipedia: Strict Transport Security - STS
- Mozilla X-Frame-Options
- Microsoft IE Internals X-XSS-Protection
- Microsoft X-Content-Type-Options
- W3 Content Security Policy Specification
- OWASP Session Management Cheat Sheet