Current Focus: Session Management

[Craig Younkins]

Let's shift our current focus towards session management [1], including the prevention of session hijacking [2] and session fixation [3].

Session identifiers are keys to the kingdom, and can allow an attacker to impersonate an authenticated user without even knowing their credentials. Consider this: If you aren't using SSL, a user's session identifier can be sniffed off the wire anywhere along its path from the user's computer to your application server. Techniques like ARP spoofing worsen this - anyone on that user's local network can intercept their traffic without their knowledge, even if they aren't normally exposed the packets heading from the user's computer to the internet. It's downright scary. With the session identifier an attacker just needs to start using it, usually by setting the appropriate cookie value. They can then use the website, already logged in as the stolen user.

Please take a few minutes to look at [1][2][3]. Do you need to check your application/framework? What's clear? What isn't? How can we better describe succinct recommendations? Your input is greatly appreciated. Thanks for your continued support!

Craig Younkins

[1] http://www.pythonsecurity.org/wiki/sessionmanagement/

[2] http://www.pythonsecurity.org/wiki/sessionhijacking/

[3] http://www.pythonsecurity.org/wiki/sessionfixation/