Invalidating session on window close

It is important to emphasize that SSL/TLS (HTTPS) does not protect against session ID prediction, brute force, client-side tampering or fixation.

Yet, session ID disclosure and capture from the network traffic is one of the most prevalent attack vectors even today.

The session ID must be long enough to prevent brute force attacks, where an attacker can go through the whole range of ID values and verify the existence of valid sessions.

The session ID length must be at least 128 bits (16 bytes).

The stored information can include the client IP address, User-Agent, e-mail, username, user ID, role, privilege level, access rights, language preferences, account ID, current state, last login, session timeouts, and other internal session details.

If the session objects and properties contain sensitive information, such as credit card numbers, it is required to duly encrypt and protect the session management repository.

The storage capabilities or repository used by the session management mechanism to temporarily save the session IDs must be secure, protecting the session IDs against local or remote accidental disclosure or unauthorized access.

A web application should make use of cookies for session ID exchange management.

Additionally, the “Secure” cookie attribute (see below) must be used to ensure the session ID is only exchanged through an encrypted channel.In order to keep the authenticated state and track the users progress within the web application, applications provide users with a session identifier (session ID or token) that is assigned at session creation time, and is shared and exchanged by the user and the web application for the duration of the session (it is sent on every HTTP request). With the goal of implementing secure session IDs, the generation of identifiers (IDs or tokens) must meet the following properties: The name used by the session ID should not be extremely descriptive nor offer unnecessary details about the purpose and meaning of the ID. Therefore, the session ID name can disclose the technologies and programming languages used by the web application.The session ID names used by the most common web application development frameworks can be easily fingerprinted [0], such as PHPSESSID (PHP), JSESSIONID (J2EE), CFID & CFTOKEN (Cold Fusion), ASP. It is recommended to change the default session ID name of the web development framework to a generic name, such as “id”.If a user submits a session ID through a different exchange mechanism, such as a URL parameter, the web application should avoid accepting it as part of a defensive strategy to stop session fixation.NOTE: Even if a web application makes use of cookies as its default session ID exchange mechanism, it might accept other exchange mechanisms too.The session ID value must provide at least 64 bits of entropy (if a good PRNG is used, this value is estimated to be half the length of the session ID).

You must have an account to comment. Please register or login here!