Hi, I am Ashish Popli and I work with the ACE Services Team.
There is a lot of security review guidance available that is technology or platform specific, but at the heart of a security review, there are some basic security principles that can be applied to any technology or platform. This series of blogs will be my attempt to highlight some of these principles under several key areas of application security. Today we look at session management – a critical design consideration for all web based applications.
Attacks and Threats
Safeguards and Countermeasures
Protect session IDs and other tokens used for identification during transit.
Session ID Guessing
Implement strong, non-predictable algorithms.
Implement a session expiration mechanism with a business justified minimum and maximum lifetime.
Give users of your applications clear and explicit means to terminate their session, such as with a logout button.
Ensure that logout functionality invalidates the server side session.
Maintain the session state on the server for web-based applications, and be associated with a single client through the use of a session ID.
Tie the session state to a specific browser session through the use of a session cookie.
Avoid storing session state in a persistent cookie.
Avoid using hidden fields for maintaining session state.
Denial of Service
Allocate session-based resources only after successful authentication.
Do not allow sessions to span across both secure and non-secure connections.
Configure session cookies to restrict distribution beyond the application.
Set the secure flag of the session cookies if the session cookies are to be transmitted only over SSL.
apopli at microsoft dot com