This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Session Management
Session Management

Version management

Difference between version and

At line 1 added 25 lines
!!! Overview
[{$pagename}] is the process of keeping track of a [User-agent]'s activity across [sessions] of interaction with the system.[{$pagename}] is the process of managing the [User-agent]'s [state][{$pagename}] is may involve the management of:
* [Sessions]
* [Session ID]
* [Tokens]
!! [HTTP] [{$pagename}] [1]
A [HTTP] [session] is a sequence of network [HTTP Request] and [HTTP Response] transactions associated to the same [User-agent]. Modern and complex web applications require the retaining of information or [state] about each user for the duration of multiple requests. Therefore, [sessions] provide the ability to establish variables – such as access rights and localization settings – which will apply to each and every interaction a user has with the [HTTP] [Application] for the duration of the [session].
[HTTP] [Applications] can create sessions to keep track of [anonymous] users after the very first [HTTP Request]. An [example] would be maintaining the user language preference. Additionally, web applications will make use of [sessions] once the user has [Authenticated]. This ensures the ability to identify the user on any subsequent [HTTP Requests] as well as being able to apply security access controls, authorized access to the user [Private data], and to increase the usability of the application. Therefore, current web applications can provide session capabilities both pre and post [authentication].
Once an authenticated session has been established, the [session ID] (or [token]) is temporarily equivalent to the strongest [Authentication Method] used by the [application], such as username and [password], passphrases, one-time passwords ([OTP]), client-based digital [certificates], [Smart Cards], or [biometrics] (such as fingerprint or eye retina). See the OWASP Authentication Cheat Sheet.
[HTTP] is a stateless protocol ([RFC 2616] [5]), where each [HTTP Request] and [HTTP Response] pair is independent of other interactions. Therefore, in order to introduce the concept of a [session], it is required to implement [{$pagename}] capabilities that link both the [authentication] and [Access Control] (or [authorization]) modules commonly available in web applications.
The session ID or token binds the user [authentication] [credentials] (in the form of a user [session]) to the user [HTTP] traffic and the appropriate [Access Control] is enforced by the [application]. The complexity of these three components ([authentication], [{$pagename}], and [Access Control]) in modern web applications, plus the fact that its implementation and [binding] resides on the web developer’s hands (as web development framework do not provide strict relationships between these modules), makes the implementation of a secure session management module very challenging.The disclosure, capture, prediction, brute force, or fixation of the [session ID] will lead to [session hijacking] (or sidejacking) [attacks], where an [attacker] is able to [Impersonation] a victim user in the web application. [Attackers] can perform two types of session hijacking [attacks], [Targeted Attack] or [Opportunistic Attack]. In a [Targeted Attack], the attacker’s goal is to [Impersonation] a specific (or privileged) web application victim user. For [Opportunistic Attacks], the attacker’s goal is [Impersonation] (or get access as) any valid or legitimate user in the web application.
!! [OpenID Connect Session Management]
[OpenID Connect Session Management] describes how to manage [sessions] for [OpenID Connect], including when to log out the End-User.!! [{$pagename}]
Various SDKs provide [{$pagename}]
* [Java], the [Session] object is an instance of javax.servlet.http.HttpSession. The Session object provides a stateful context across multiple page requests from the same client during a conversation with the server!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Session Management Cheat Sheet|https://www.owasp.org/index.php/Session_Management_Cheat_Sheet|target='_blank'] - based on information obtained 2018-03-18-
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop