Main Menu

Daily using/supporting

Get Firefox browser!
Get Thunderbird!
Get Opera browser!
Get The Gimp!
Get Inkscape!
Get LibreOffice!
Get Videolan!
Get Linux!
Get Mandriva!
Get Joomla!
Hacker Emblem

Popular Tags

Archives

Which topics would you like us to cover more?

Latest comments

Latest tweets

about 1 day ago Using REDIPS.drag to add drag and drop to your .Net webapplication #li #dib0 http://t.co/n8zY3s7d
about 7 days ago http://t.co/cknQcDbo #Kindle
about 15 days ago Freedom isn't the ability to choose what to do or say, but the ability to choose what not to do or say #freedom
about 29 days ago http://t.co/61KTQknI #Kindle
12 Apr 2012 Force the use of a networking adapter using C# #li #dib0 http://t.co/ZTJOPzOz
9 Apr 2012 http://t.co/k9yliR2t #Kindle
9 Apr 2012 Mandriva 2010.2 and USB devices in Virtualbox http://t.co/fwq9gbHB
9 Apr 2012 Execute a http request to you own site with PHP http://t.co/DIvWPrpd
Twitter
Prev Next
Home Architecture, security and coding Security: session management the right way
Security: session management the right way
Written by Division by Zero   
Tuesday, 19 January 2010 12:03
From a security perspective is session management one of the important things to do. There are four things an application has to do: session time out (make sure a session last as short as possible), start a new session with a new ID if an old session ID is given, reset the session on login and reset a session on logout. The first two are standard in most frameworks like java and .Net. But the second two are almost always forgotten.

Why is this important? We can't prevent a hacker from stealing a session, because this happens client side. But we can help a user minimize this threat. This is done by making the session last as short as possible and use SSL for secured pages. If an attacker steals the session and the user logs in, the atacker is logged in. Therefore we have to reset the session ID after the user logs in (of course on a secure connection). This way the atacker doens't have the same session as the user does and she/he isn't logged in.

If we reset the session when a user logs out, any stolen session becomes invalid. This way we minimise the time an atacker can abuse stolen sessions.

Here's an example in C#:
/// 
/// The session has to be reset in this fashion. This is the way to prevent 
/// an attacker to steal session, etc. (At least make it harder to)
/// 
public static void ResetWebSession()
{
 // Abandon the current session
 HttpContext.Current.Session.Abandon();

 // Reset the sessionID in the cookies
 HttpContext.Current.Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));
}

We override the session ID, so the next request from the user contains an empty session ID. The framework will generate a new ID and the old session isn't valid anymore. Remember that any stored values is the session will be lost: we need to treat an authenticated user different than a guest user.

This isn't a fool proof concept, I know. But it is the only thing we can do with our session management to assist our users.
Tags:

Related Articles
 

Add comment


Security code
Refresh

There never was a good war or a bad peace. - B. Franklin


© 2009 - 2012, Division by Zero

Template based on the empire template by joomlashack 

Valid XHTML 1.0 Strict  Valid CSS!  Creative Commons License
This work by Division by Zero is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Netherlands License.