Re: [PEN-TEST] HTTP Secure Session State Management

[Drew Simonis <simonis () myself com>]

[I don't really see how this is on topic, but I'll do the benefit of]
[the doubt thing and let the moderator decide...                    ]

Mark Curphey wrote:
> Apart from RFC 2965 (cookies) what other methods are available to developers
> to manage sessions securely; i.e. authenticate each session in a transaction
> ?
>
> Is a decorated URL  a better option ?

Placing the credential material in the URL is another way, yes.
Is it better?  To answer that, we would really need to know in
what way you mean better.  For example, you can use encrypted
cookies, making life for an attacker a bit more difficult, while
this same option is obviously not available for a GET.  For the
concerns of function, cookies are often not the way to go, since
many users disable them and many filters deny them.  They just
aren't reliable enough.

My prefered method is to store the important information on the
server, either in a database or a unique file.  The only info I
pass between the server and the client is the unique identifier
(session id) which I do my best to make as random as possible.

Something like an MD5 hash is pretty good for this.  Perhaps
a hash of the user's first and last name, address and the record ID.

HTH