RE: improvements in session management?

["WebAppSecurity [Technicalinfo.net]" <webappsec () technicalinfo net>]

For a full explaination etc. see the section "Good Session Management" on
http://www.technicalinfo.net/papers/WebBasedSessionManagement.html

... As well as further analysis on what constitutes good/bad practices.

Cheers,

Gunter

> -----Original Message-----
> From: flatline [mailto:flatline () greyhat nl] 
> Sent: 31 March 2004 18:44
> To: webappsec () securityfocus com
> Subject: improvements in session management?
>
> Hi,
>
> I was wondering if people have come up with new techniques to 
> defeat against server side session/state management attacks 
> since the last active thread on this topic.
>
> My own webapps use what I think is so far the best (but far 
> from perfect) solution against session id replay attacks. The 
> idea was discussed some time ago on this list and it involves 
> keeping a global session id (which is probably how all 
> webapps operate), in conjunction with a per-request token. 
> The request token is an id given out by the server, which has 
> to be echoed back by the client on the next request it makes.
>
> The server verifies the session id/request token, discards 
> the current request token and generates a new one for the 
> next request the client will make. Once the server encounters 
> a valid session id in combination with an invalid request 
> token, it knows the session has been subverted and 
> invalidates it. This in fact creates a race condition between 
> the attacker and the client/victim (whose session was 
> stolen), which is AFAIK the only imperfection of this method.
>
> My question to you is if anyone has come up with better ideas 
> or improvements on this technique. I think this subject is 
> far from resolved and needs closer inspection!
>
> TIA,
>
> / flatline