Secure Session Management: Preventing Security Voids in Web Applications
| Internet users all over the world are using web-based systems to manage important data for them such as bank account and healthcare information. Users assume that these systems are securely designed but many web applications have severe security flaws that allow simple attacks to succeed. One of the most common vulnerabilities is insecure session management. Online systems have unique security considerations that must be addressed to maintain the security of the data they manage and control. This paper will start from the basics and define what session management is and how it works. Next, attacks on session management will be described followed by methods to defeat these attacks. Finally, examples of session management security flaws in popular web applications will be presented to illustrate how session management can fail. Implementing good session management is possible using a holistic defense-in-depth approach. However, doing so requires proper education on the part of the design team and a desire to develop the web application securely from the outset. |
1594 (PDF, 4.83MB)
5 May 2005ByLuke Murphey