Log, Monitor, and Alert
The application’s session management functionality should be closely integrated with its mechanisms for logging, monitoring, and alerting, in order to
Read moreAttacking Session Management
Securing Session Management
The defensive measures that web applications must take to prevent attacks on their session management mechanisms correspond to the two
Read moreLiberal Cookie Scope
The usual simple summary of how cookies work is that the server issues a cookie using the HTTP response header
Read moreVulnerable Mapping of Tokens to Sessions
Various common vulnerabilities in session management mechanisms arise because of weaknesses in the way the application maps the creation and
Read moreDisclosure of Tokens in Logs
Aside from the clear-text transmission of session tokens in network communications, the most common place where tokens are simply disclosed
Read moreWeaknesses in Session Token Handling
No matter how effective an application is at ensuring that the session tokens it generates do not contain any meaningful
Read morePredictable Tokens
Some session tokens do not contain any meaningful data associating them with a particular user but are nevertheless guessable because
Read moreWeaknesses in Session Token Generation
Session management mechanisms are often vulnerable to attack because tokens are generated in an unsafe manner that enables an attacker
Read moreAttacking Session Management
The session management mechanism is a fundamental security component in the majority of web applications. It is what enables the
Read more