Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Session security with cookies

from [Jeffory Atkinson] Network Security [Permanent Link]
Subject: RE: Session security with cookies
Date: Tue, 4 Dec 2007 13:46:57 -0500 
Till,
Here are some factors that you will want to ensure. 
-Session token is delivered after authentication
-Each session token is unique and not predictable (requiring a strong
random token generator)  
-Session token is transfer over an encrypted tunnel
-Session token is marked secure
-Ensure the session is terminated at logout
-Ensure the session times out in a reasonable amount of time
-All access control should be based on the user's session token and only
the session token
Optional
        Don't allow concurrent sessions.
        Don't allow IP hopping. (Changing of IP address mid session.)

There are more details that I am sure that someone one the list will
help fill in for you. But I believe these are a good start.  


-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Till Elsner
Sent: Monday, December 03, 2007 6:32 PM
To: webappsec@securityfocus.com
Subject: Session security with cookies

Hi, i'm investigating in web application security this time and i'm  
trying to find some information about session management with cookies  
and related security issues. Can anyone point me to tips on how to  
make cookie based sessions more secure and how to prevent session  
hijacking? How secure is session handling using cookies and what are  
the main risks? Is anyone aware of good literature on that topic?
Thanks and have a nice day
Till

------------------------------------------------------------------------
-
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web
application security assessments should be considered a crucial phase in
the development of any web application. What methodology should be
followed? What tools can accelerate the assessment process? Download
this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
------------------------------------------------------------------------
-



-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web 
application security assessments should be considered a crucial phase in the 
development of any web application. What methodology should be followed? What 
tools can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Session security with cookies, Paul Johnston
Next by Date:  Re: Session security with cookies, Ron
Previous by Thread:  Re: Session security with cookies, Paul Johnston
Next by Thread:  Re: Session security with cookies, bugtraq
Indexes:  [Date] [Thread] [Top] [All Lists]