
Session Id
Users prove they own a session by submitting authentication parameters with each request that typically include a session id and other factors such as a nonce. Session ids are designed to be long and random such that it is infeasible to guess them.Transport
Session management is essentially a process of providing secrets to authenticated users such as a session id and having them pass it back to you. As such, cryptographically secure network communications are required to implement secure session management.Cookies
The security of clients is a concern for session management. In the case of a web browser, session ids may be stored in secure cookies. In some cases, browsers can be tricked into giving up their session credentials with attacks such as DNS spoofing. As such, consideration of cookie security is within the scope of session management.Session Expiry
Sessions are designed to be temporary objects that expire. Their life is typically extended with each new request with a maximum age that can't be exceeded.Session Resources
Session management may be targeted by denial of service attacks that flood services with requests to create new sessions. As such, session management is ideally resource light.Detecting Anomalies
Session management may include features to detect anomalies such as brute force guesses of session ids or denial of service attacks. In some cases, session management may prevent users from creating multiple sessions from the same IP. For practical reasons of usability, this may be allowed up to some limit.Overview: Session Management | ||
Type | Secure CodingInformation Security | |
Definition | The process of securing multiple requests to a service from the same user or entity. | |
Related Concepts |