must be unpredictable (random enough) to prevent guessing attacks
good PRNG (Pseudo Random Number Generator) must be used
must provide at least 64 bits of entropy
Session ID Content (or Value)
content (or value) must be meaningless
identifier on the client side
meaning and business or application logic associated to the session ID must be stored on the server side
session objects or in a session management database or repository
create cryptographically strong session IDs through the usage of cryptographic hash functions such as SHA1 (160 bits).
Session Management Implementation
defines the exchange mechanism that will be used between the user and the web application to share and continuously exchange the session ID
token expiration date and time
This is one of the reasons why cookies (RFCs 2109 & 2965 & 6265 [1]) are one of the most extensively used session ID exchange mechanisms, offering advanced capabilities not available in other methods
Transport Layer Security
use an encrypted HTTPS (SSL/TLS) connection for the entire web session
not only for the authentication
process where the user credentials are exchanged.
“Secure” cookie attribute
must be used to ensure the session ID is only exchanged through an encrypted channel
never switch a given session from HTTP to HTTPS, or viceversa
should not mix encrypted and unencrypted contents (HTML pages, images, CSS, Javascript files, etc) on the same host (or even domain - see the “domain” cookie attribute)
should not offer public unencrypted contents and private encrypted contents from the same host
www.example.com over HTTP (unencrypted) for the public contents
secure.example.com over HTTPS (encrypted) for the private and sensitive contents (where sessions exist)
only has port TCP/80 open
only has port TCP/443 open
“HTTP Strict Transport Security (HSTS)” (previously called STS) to enforce HTTPS connections.
Secure Attribute
instructs web browsers to only send the cookie through an encrypted HTTPS (SSL/TLS) connection
HttpOnly Attribute
instructs web browsers not to allow scripts (e.g. JavaScript or VBscript) an ability to access the cookies via the DOM document.cookie object
Domain and Path Attributes
instructs web browsers to only send the cookie to the specified domain and all subdomains
“Domain” cookie attribute
“Path” cookie attribute
instructs web browsers to only send the cookie to the specified directory or subdirectories (or paths or resources) within the web application
vulnerabilities in www.example.com might allow an attacker to get access to the session IDs from secure.example.com
Expire and Max-Age Attributes
“Max-Age”
“Expires” attributes
it will be considered a
persistent cookie
and will be stored on disk by the web browser based until the expiration time
use non-persistent cookies for session management purposes, so that the session ID does not remain on the web client cache for long periods of time, from where an attacker can obtain it.
