Description:
When working with sessions there are a couple of things you need to consider in order to implement them securely throughout your system. For more detailed information about these items you should check the knowledge-base about:
- Session management control
- Session cookies without the Secure flag
- Session cookies without the HttpOnly flag
- External session hijacking
- Insecure transmission of session cookies
- Session information is not stored server side
- Session ids should be generated with sufficient entropy, preferred is the frameworks default session management control implementation is used by the application
- User generated session ids should be rejected by the server
- The logout functionality should revoke the complete session
- The login functionality should always generate (and use) a new session id
- Session IDs do not timeout.(idl)
- Absolute session time out
- Verify that the session id is never disclosed
- Session cookies (Domain)
Solution:
The items as pointed out before should be looked into and taken into consideration whenever you are working with sessions on your system in order to enforce a high level of security.