Application Security Guidance – Session Management

Hi, I am Ashish Popli and I work with the ACE Services Team.

There is a lot of security review guidance available that is technology or platform specific, but at the heart of a security review, there are some basic security principles that can be applied to any technology or platform. This series of blogs will be my attempt to highlight some of these principles under several key areas of application security.  Today we look at session management - a critical design consideration for all web based applications.

Attacks and Threats

Safeguards and Countermeasures

Session Hijacking  

Protect session IDs and other tokens used for identification during transit.

Session ID Guessing

Implement strong, non-predictable algorithms.

Session Re-Use

Implement a session expiration mechanism with a business justified minimum and maximum lifetime.

Give users of your applications clear and explicit means to terminate their session, such as with a logout button.

Ensure that logout functionality invalidates the server side session.

Client Impersonation

Maintain the session state on the server for web-based applications, and be associated with a single client through the use of a session ID.

Tie the session state to a specific browser session through the use of a session cookie.

Malicious Clients

Avoid storing session state in a persistent cookie.

Avoid using hidden fields for maintaining session state.

Denial of Service

Allocate session-based resources only after successful authentication.

Session Theft

Do not allow sessions to span across both secure and non-secure connections.

Configure session cookies to restrict distribution beyond the application.

Set the secure flag of the session cookies if the session cookies are to be transmitted only over SSL.


Ashish Popli
Senior Consultant
ACE Services
apopli at microsoft dot com

Skip to main content