SlideShare a Scribd company logo
SESSION MANAGEMENT
Security Mechanism:
Authentication
Authorization
Session Management
Data Validation
Error Handling
Logging
Encryption
Session Management Core Concepts
A session identifier becomes a “something you have” method of authentication.
Options for passing
data between browser
and web or app server.
Session lifetimes become a critical part of your application security.
The need to track state in a stateless protocol = Session Management
Session Management Words to Live By
 Enforce a reasonable session lifespan
 Leverage existing session management solutions
 Force a change of session ID after a successful login
Session Words to Live By: #1
 The problem
– The lack of proper session expiration may improve the likely
success of certain attacks. For example, an attacker may intercept
a session ID, possibly via a network sniffer or Cross-site Scripting
attack. Although short session expiration times do not help if a
stolen token is immediately used, they will protect against ongoing
replaying of the session ID. In another scenario, a user might
access a web site from a shared computer (such as at a library,
Internet cafe, or open work environment). Insufficient Session
Expiration could allow an attacker to use the browser's back button
to access web pages previously accessed by the victim.
Enforce a reasonable session lifespan
Real World – Session Lifetimes
Secure Coding …
 General rule of thumb
– 30 minute timeout for inactivity
– 12 hour hard time out
 Session management setting are usually part of the
application server configuration
– As developers we need to understand how these options affect our
application and verify that the system admin has configured the
server correctly
Session Words to Live By: #2
– The lack of proper session expiration may improve the likely
success of certain attacks.
Leverage existing session management solutions
It’s easier and generally more secure to use a vetted session management
solution that has already been tested for these types of flaws.
Real World – Session ID Weakness
Just because it looks random…
Timestamp goes up predictably, session count just increments, IP is
static, and the 2 random bytes at the end are fixed at server start time.
Secure Coding …
 As developers …
– We need to recognized when we need session management
– We know not to roll our own
Session Words to Live By: #3
 The problem
– Authenticating a user, or otherwise establishing a new user session,
without invalidating any existing session identifier gives an attacker
the opportunity to steal authenticated sessions.
Force a change of session ID after a successful login
Real World – Session Fixation
Secure Coding …
1 public int authenticate (HttpSession session)
2 {
3 string username = GetInput("Enter Username");
4 string password = GetInput("Enter Password");
5
6 // Check maximum logins attempts
7 if (session.getValue("loginAttempts") > MAX_LOGIN_ATTEMPTS)
8 {
9 lockAccount(username);
10 return(FAILURE);
11 }
12
13 if (ValidUser(username, password) == SUCCESS)
14 {
15 // Kill the current session so it can no longer be used
16 session.invalidate();
17
18 // Create an entirely new session for the logged in user
19 HttpSession newSession = request.getSession(true);
20
21 newSession.putValue("login", TRUE);
22 return(SUCCESS);
23 }
24 else return(FAILURE);
25 }

More Related Content

What's hot (20)

PDF
Web application sec_3
vhimsikal
 
PPTX
Secure Code Warrior - Defense in depth
Secure Code Warrior
 
PPTX
12 Crucial Windows Security Skills for 2017
Paula Januszkiewicz
 
PDF
Deltecs Services for Vulnerability Assessment and penetration testing
divyeshkharade
 
PDF
Avoiding the 10 Deadliest and Most Common Sins for Securing Windows
BeyondTrust
 
PDF
Broken access control
Priyanshu Gandhi
 
PDF
Client /server security overview
Mohamed Sayed
 
PDF
Hacker techniques for bypassing existing antivirus solutions & how to build a...
BeyondTrust
 
PPTX
Security Testing for Web Application
Precise Testing Solution
 
PDF
Security-testing presentation
Ezhilan Elangovan (Eril)
 
PPTX
Security testing
Khizra Sammad
 
PPTX
Network security
Ashish Gaurkhede
 
PDF
Chapter 3 security principals
newbie2019
 
PPT
Bitrix Software Security
FTS Capital Group Sp. z o.o.
 
PPTX
Security & Protection in Operating System
Meghaj Mallick
 
PDF
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
Lenur Dzhemiliev
 
PPTX
What's new in​ CEHv11?
EC-Council
 
PPTX
Next-Gen Security Solution: Gateway Protection
Quick Heal Technologies Ltd.
 
PDF
Security testing presentation
Confiz
 
PPTX
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
Paula Januszkiewicz
 
Web application sec_3
vhimsikal
 
Secure Code Warrior - Defense in depth
Secure Code Warrior
 
12 Crucial Windows Security Skills for 2017
Paula Januszkiewicz
 
Deltecs Services for Vulnerability Assessment and penetration testing
divyeshkharade
 
Avoiding the 10 Deadliest and Most Common Sins for Securing Windows
BeyondTrust
 
Broken access control
Priyanshu Gandhi
 
Client /server security overview
Mohamed Sayed
 
Hacker techniques for bypassing existing antivirus solutions & how to build a...
BeyondTrust
 
Security Testing for Web Application
Precise Testing Solution
 
Security-testing presentation
Ezhilan Elangovan (Eril)
 
Security testing
Khizra Sammad
 
Network security
Ashish Gaurkhede
 
Chapter 3 security principals
newbie2019
 
Bitrix Software Security
FTS Capital Group Sp. z o.o.
 
Security & Protection in Operating System
Meghaj Mallick
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
Lenur Dzhemiliev
 
What's new in​ CEHv11?
EC-Council
 
Next-Gen Security Solution: Gateway Protection
Quick Heal Technologies Ltd.
 
Security testing presentation
Confiz
 
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
Paula Januszkiewicz
 

Viewers also liked (10)

PDF
Web Application Security 101 - 07 Session Management
Websecurify
 
PPT
Web Application Security
Srivigneshwar R Prasad
 
PPTX
Attacking Session Management
Se-Han Lee
 
PDF
Microsoft Lync & Acme Packet Session Management Solutions
MUCUGL
 
PDF
Secure Authentication and Session Management in Java EE
Patrycja Wegrzynowicz
 
PPTX
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
PPTX
Automated API pentesting using fuzzapi
Abhijeth D
 
ODP
Session Management & Cookies In Php
Harit Kothari
 
PPTX
Cryptography
Tushar Swami
 
PPTX
Cryptography
Shivanand Arur
 
Web Application Security 101 - 07 Session Management
Websecurify
 
Web Application Security
Srivigneshwar R Prasad
 
Attacking Session Management
Se-Han Lee
 
Microsoft Lync & Acme Packet Session Management Solutions
MUCUGL
 
Secure Authentication and Session Management in Java EE
Patrycja Wegrzynowicz
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
Automated API pentesting using fuzzapi
Abhijeth D
 
Session Management & Cookies In Php
Harit Kothari
 
Cryptography
Tushar Swami
 
Cryptography
Shivanand Arur
 
Ad

Similar to 06 application security fundamentals - part 2 - security mechanisms - session management (20)

PDF
S8-Session Managment
zakieh alizadeh
 
PDF
Session fixation
Muhammad Fahri
 
PPTX
Uwvwwbwbwbwbwbwbwbnit-4 - web security.pptx
VikasTuwar1
 
PPTX
Introduccion a la seguridad Windows 7
EAE
 
PDF
Tips to Remediate your Vulnerability Management Program
BeyondTrust
 
PPTX
Secure Code Warrior - Authentication
Secure Code Warrior
 
PDF
wapt lab 6 - converted (2).pdfwaptLab09 tis lab is used for college lab exam
imgautam076
 
PDF
Hitachi ID Password Manager Security Analysis
Hitachi ID Systems, Inc.
 
PDF
Privileged Access Manager Product Q&A
Hitachi ID Systems, Inc.
 
PPTX
Mobile Application Security - Broken Authentication & Management
Barrel Software
 
PPT
OWASP Serbia - A3 broken authentication and session management
Nikola Milosevic
 
PDF
Module 4 (enumeration)
Wail Hassan
 
PDF
Tales of modern day data breaches - a web security guide for developers
Jaap Karan Singh
 
PPT
Andrews whitakrer lecture18-security.ppt
SilverGold16
 
PDF
C02
newbie2019
 
PPTX
Magento security best practices magento's approach to pci compliance
Ritwik Das
 
PPTX
Session Hijacking: Understanding and Preventing Online Attacks
Boston Institute of Analytics
 
PDF
AN INNOVATIVE PATTERN BASED PASSWORD METHOD USING TIME VARIABLE WITH ARITHMET...
ijistjournal
 
PPTX
Web security
Padam Banthia
 
PDF
Financial Safety and Security in the Cyber World.pdf
quinychristabel
 
S8-Session Managment
zakieh alizadeh
 
Session fixation
Muhammad Fahri
 
Uwvwwbwbwbwbwbwbwbnit-4 - web security.pptx
VikasTuwar1
 
Introduccion a la seguridad Windows 7
EAE
 
Tips to Remediate your Vulnerability Management Program
BeyondTrust
 
Secure Code Warrior - Authentication
Secure Code Warrior
 
wapt lab 6 - converted (2).pdfwaptLab09 tis lab is used for college lab exam
imgautam076
 
Hitachi ID Password Manager Security Analysis
Hitachi ID Systems, Inc.
 
Privileged Access Manager Product Q&A
Hitachi ID Systems, Inc.
 
Mobile Application Security - Broken Authentication & Management
Barrel Software
 
OWASP Serbia - A3 broken authentication and session management
Nikola Milosevic
 
Module 4 (enumeration)
Wail Hassan
 
Tales of modern day data breaches - a web security guide for developers
Jaap Karan Singh
 
Andrews whitakrer lecture18-security.ppt
SilverGold16
 
Magento security best practices magento's approach to pci compliance
Ritwik Das
 
Session Hijacking: Understanding and Preventing Online Attacks
Boston Institute of Analytics
 
AN INNOVATIVE PATTERN BASED PASSWORD METHOD USING TIME VARIABLE WITH ARITHMET...
ijistjournal
 
Web security
Padam Banthia
 
Financial Safety and Security in the Cyber World.pdf
quinychristabel
 
Ad

More from appsec (11)

PPTX
23 owasp top 10 - resources
appsec
 
PPTX
15 owasp top 10 - a3-xss
appsec
 
PPTX
12 owasp top 10 - introduction
appsec
 
PPTX
10 application security fundamentals - part 2 - security mechanisms - encry...
appsec
 
PPTX
11 application security fundamentals - part 2 - security mechanisms - summary
appsec
 
PPTX
09 application security fundamentals - part 2 - security mechanisms - logging
appsec
 
PPTX
08 application security fundamentals - part 2 - security mechanisms - error...
appsec
 
PPTX
07 application security fundamentals - part 2 - security mechanisms - data ...
appsec
 
PPTX
04 application security fundamentals - part 2 - security mechanisms - authe...
appsec
 
PPTX
02 application security fundamentals - part 1 - security priciples
appsec
 
PPTX
01 Application Security Fundamentals - part 1 - introduction and goals
appsec
 
23 owasp top 10 - resources
appsec
 
15 owasp top 10 - a3-xss
appsec
 
12 owasp top 10 - introduction
appsec
 
10 application security fundamentals - part 2 - security mechanisms - encry...
appsec
 
11 application security fundamentals - part 2 - security mechanisms - summary
appsec
 
09 application security fundamentals - part 2 - security mechanisms - logging
appsec
 
08 application security fundamentals - part 2 - security mechanisms - error...
appsec
 
07 application security fundamentals - part 2 - security mechanisms - data ...
appsec
 
04 application security fundamentals - part 2 - security mechanisms - authe...
appsec
 
02 application security fundamentals - part 1 - security priciples
appsec
 
01 Application Security Fundamentals - part 1 - introduction and goals
appsec
 

Recently uploaded (20)

DOCX
Cryptography Quiz: test your knowledge of this important security concept.
Rajni Bhardwaj Grover
 
PDF
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
PPTX
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
PDF
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
PPTX
From Sci-Fi to Reality: Exploring AI Evolution
Svetlana Meissner
 
PDF
"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...
Fwdays
 
PDF
Go Concurrency Real-World Patterns, Pitfalls, and Playground Battles.pdf
Emily Achieng
 
PDF
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
PDF
The Rise of AI and IoT in Mobile App Tech.pdf
IMG Global Infotech
 
PDF
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
PPTX
The Project Compass - GDG on Campus MSIT
dscmsitkol
 
DOCX
Python coding for beginners !! Start now!#
Rajni Bhardwaj Grover
 
PPTX
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
PDF
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PDF
IoT-Powered Industrial Transformation – Smart Manufacturing to Connected Heal...
Rejig Digital
 
PPTX
COMPARISON OF RASTER ANALYSIS TOOLS OF QGIS AND ARCGIS
Sharanya Sarkar
 
PDF
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
PDF
What Makes Contify’s News API Stand Out: Key Features at a Glance
Contify
 
PDF
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
PDF
Biography of Daniel Podor.pdf
Daniel Podor
 
Cryptography Quiz: test your knowledge of this important security concept.
Rajni Bhardwaj Grover
 
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
From Sci-Fi to Reality: Exploring AI Evolution
Svetlana Meissner
 
"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...
Fwdays
 
Go Concurrency Real-World Patterns, Pitfalls, and Playground Battles.pdf
Emily Achieng
 
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
The Rise of AI and IoT in Mobile App Tech.pdf
IMG Global Infotech
 
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
The Project Compass - GDG on Campus MSIT
dscmsitkol
 
Python coding for beginners !! Start now!#
Rajni Bhardwaj Grover
 
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
IoT-Powered Industrial Transformation – Smart Manufacturing to Connected Heal...
Rejig Digital
 
COMPARISON OF RASTER ANALYSIS TOOLS OF QGIS AND ARCGIS
Sharanya Sarkar
 
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
What Makes Contify’s News API Stand Out: Key Features at a Glance
Contify
 
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
Biography of Daniel Podor.pdf
Daniel Podor
 

06 application security fundamentals - part 2 - security mechanisms - session management

  • 1. SESSION MANAGEMENT Security Mechanism: Authentication Authorization Session Management Data Validation Error Handling Logging Encryption
  • 2. Session Management Core Concepts A session identifier becomes a “something you have” method of authentication. Options for passing data between browser and web or app server. Session lifetimes become a critical part of your application security. The need to track state in a stateless protocol = Session Management
  • 3. Session Management Words to Live By  Enforce a reasonable session lifespan  Leverage existing session management solutions  Force a change of session ID after a successful login
  • 4. Session Words to Live By: #1  The problem – The lack of proper session expiration may improve the likely success of certain attacks. For example, an attacker may intercept a session ID, possibly via a network sniffer or Cross-site Scripting attack. Although short session expiration times do not help if a stolen token is immediately used, they will protect against ongoing replaying of the session ID. In another scenario, a user might access a web site from a shared computer (such as at a library, Internet cafe, or open work environment). Insufficient Session Expiration could allow an attacker to use the browser's back button to access web pages previously accessed by the victim. Enforce a reasonable session lifespan
  • 5. Real World – Session Lifetimes
  • 6. Secure Coding …  General rule of thumb – 30 minute timeout for inactivity – 12 hour hard time out  Session management setting are usually part of the application server configuration – As developers we need to understand how these options affect our application and verify that the system admin has configured the server correctly
  • 7. Session Words to Live By: #2 – The lack of proper session expiration may improve the likely success of certain attacks. Leverage existing session management solutions It’s easier and generally more secure to use a vetted session management solution that has already been tested for these types of flaws.
  • 8. Real World – Session ID Weakness Just because it looks random… Timestamp goes up predictably, session count just increments, IP is static, and the 2 random bytes at the end are fixed at server start time.
  • 9. Secure Coding …  As developers … – We need to recognized when we need session management – We know not to roll our own
  • 10. Session Words to Live By: #3  The problem – Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. Force a change of session ID after a successful login
  • 11. Real World – Session Fixation
  • 12. Secure Coding … 1 public int authenticate (HttpSession session) 2 { 3 string username = GetInput("Enter Username"); 4 string password = GetInput("Enter Password"); 5 6 // Check maximum logins attempts 7 if (session.getValue("loginAttempts") > MAX_LOGIN_ATTEMPTS) 8 { 9 lockAccount(username); 10 return(FAILURE); 11 } 12 13 if (ValidUser(username, password) == SUCCESS) 14 { 15 // Kill the current session so it can no longer be used 16 session.invalidate(); 17 18 // Create an entirely new session for the logged in user 19 HttpSession newSession = request.getSession(true); 20 21 newSession.putValue("login", TRUE); 22 return(SUCCESS); 23 } 24 else return(FAILURE); 25 }