<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] is the process of keeping track of a [User-agent]'s activity across [sessions] of interaction with the system.[{$pagename}] is the process of managing the [User-agent]'s [state][{$pagename}] is may involve the management of: 
* [Sessions]
* [Session ID]
* [Tokens] 

!! [HTTP] [{$pagename}] [1]
A [HTTP] [session] is a sequence of network [HTTP Request] and [HTTP Response] transactions associated to the same [User-agent]. Modern and complex web applications require the retaining of information or [state] about each user for the duration of multiple requests. Therefore, [sessions] provide the ability to establish variables – such as access rights and localization settings – which will apply to each and every interaction a user has with the [HTTP] [Application] for the duration of the [session].

[HTTP] [Applications] can create sessions to keep track of [anonymous] users after the very first [HTTP Request]. An [example] would be maintaining the user language preference. Additionally, web applications will make use of [sessions] once the user has [Authenticated]. This ensures the ability to identify the user on any subsequent [HTTP Requests] as well as being able to apply security access controls, authorized access to the user [Private data], and to increase the usability of the application. Therefore, current web applications can provide session capabilities both pre and post [authentication].

Once an authenticated session has been established, the [session ID] (or [token]) is temporarily equivalent to the strongest [Authentication Method] used by the [application], such as username and [password], passphrases, one-time passwords ([OTP]), client-based digital [certificates], [Smart Cards], or [biometrics] (such as fingerprint or eye retina). See the OWASP Authentication Cheat Sheet.

[HTTP] is a stateless protocol ([RFC 2616] [5]), where each [HTTP Request] and [HTTP Response] pair is independent of other interactions. Therefore, in order to introduce the concept of a [session], it is required to implement [{$pagename}] capabilities that link both the [authentication] and [Access Control] (or [authorization]) modules commonly available in web applications.

The session ID or token binds the user [authentication] [credentials] (in the form of a user [session]) to the user [HTTP] traffic and the appropriate [Access Control] is enforced by the [application]. The complexity of these three components ([authentication], [{$pagename}], and [Access Control]) in modern web applications, plus the fact that its implementation and [binding] resides on the web developer’s hands (as web development framework do not provide strict relationships between these modules), makes the implementation of a secure session management module very challenging.The disclosure, capture, prediction, brute force, or fixation of the [session ID] will lead to [session hijacking] (or sidejacking) [attacks], where an [attacker] is able to [Impersonation] a victim user in the web application. [Attackers] can perform two types of session hijacking [attacks], [Targeted Attack] or [Opportunistic Attack]. In a [Targeted Attack], the attacker’s goal is to [Impersonation] a specific (or privileged) web application victim user. For [Opportunistic Attacks], the attacker’s goal is [Impersonation] (or get access as) any valid or legitimate user in the web application.

!! [OpenID Connect Session Management]
[OpenID Connect Session Management] describes how to manage [sessions] for [OpenID Connect], including when to log out the End-User.!! [{$pagename}] 
Various SDKs provide [{$pagename}]
* [Java], the [Session] object is an instance of javax.servlet.http.HttpSession. The Session object provides a stateful context across multiple page requests from the same client during a conversation with the server!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Session Management Cheat Sheet|https://www.owasp.org/index.php/Session_Management_Cheat_Sheet|target='_blank'] - based on information obtained 2018-03-18- </pre>