06 application security fundamentals - part 2 - security mechanisms - session management
- 1. SESSION MANAGEMENT Security Mechanism: Authentication Authorization Session Management Data Validation Error Handling Logging Encryption
- 2. Session Management Core Concepts A session identifier becomes a “something you have” method of authentication. Options for passing data between browser and web or app server. Session lifetimes become a critical part of your application security. The need to track state in a stateless protocol = Session Management
- 3. Session Management Words to Live By Enforce a reasonable session lifespan Leverage existing session management solutions Force a change of session ID after a successful login
- 4. Session Words to Live By: #1 The problem – The lack of proper session expiration may improve the likely success of certain attacks. For example, an attacker may intercept a session ID, possibly via a network sniffer or Cross-site Scripting attack. Although short session expiration times do not help if a stolen token is immediately used, they will protect against ongoing replaying of the session ID. In another scenario, a user might access a web site from a shared computer (such as at a library, Internet cafe, or open work environment). Insufficient Session Expiration could allow an attacker to use the browser's back button to access web pages previously accessed by the victim. Enforce a reasonable session lifespan
- 5. Real World – Session Lifetimes
- 6. Secure Coding … General rule of thumb – 30 minute timeout for inactivity – 12 hour hard time out Session management setting are usually part of the application server configuration – As developers we need to understand how these options affect our application and verify that the system admin has configured the server correctly
- 7. Session Words to Live By: #2 – The lack of proper session expiration may improve the likely success of certain attacks. Leverage existing session management solutions It’s easier and generally more secure to use a vetted session management solution that has already been tested for these types of flaws.
- 8. Real World – Session ID Weakness Just because it looks random… Timestamp goes up predictably, session count just increments, IP is static, and the 2 random bytes at the end are fixed at server start time.
- 9. Secure Coding … As developers … – We need to recognized when we need session management – We know not to roll our own
- 10. Session Words to Live By: #3 The problem – Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. Force a change of session ID after a successful login
- 11. Real World – Session Fixation
- 12. Secure Coding … 1 public int authenticate (HttpSession session) 2 { 3 string username = GetInput("Enter Username"); 4 string password = GetInput("Enter Password"); 5 6 // Check maximum logins attempts 7 if (session.getValue("loginAttempts") > MAX_LOGIN_ATTEMPTS) 8 { 9 lockAccount(username); 10 return(FAILURE); 11 } 12 13 if (ValidUser(username, password) == SUCCESS) 14 { 15 // Kill the current session so it can no longer be used 16 session.invalidate(); 17 18 // Create an entirely new session for the logged in user 19 HttpSession newSession = request.getSession(true); 20 21 newSession.putValue("login", TRUE); 22 return(SUCCESS); 23 } 24 else return(FAILURE); 25 }