[Owasp-guide] requesting assignments
Andrew van der Stock
vanderaj at owasp.org
Mon Nov 24 13:58:58 EST 2008
Can I please assign you the session management chapter?
It needs some TLC - as in a near total re-write. Do not discuss
attacks or vulnerabilities - these are discussed at length in the
other two Guides, but only include what a developer or an architect or
dev lead needs to *do* to use sessions safely.
This should be the outline (feel free to re-order):
* Architectural Goals - write last, I can help if you get stuck
* Use only the frameworks session manager
* Ensure idle, absolute timeouts are as short as practical
* Store privileged state only on trusted devices (not on the client)
* Ensure all pages have a logout button, and that it works effectively
(describe how to do this - and use ESAPI as a code example)
* Rotate session IDs on transition to SSL, login, privileged actions
(high value apps), and upon logout
* Ensure session re-writing is off (e.g. c:url in J2EE, describe
configuration items in PHP, .NET, J2EE, etc)
* Ensure session IDs are never logged
* Ensure that session failures are logged properly so they can be
* Things not to do (if necessary)
* References - definitely include links to the ADSR session management
nodes, Testing and Code Review Guides, and the Top 10 2007's A7, but
feel free to include others as you see fit.
Please look at the Authentication chapter - I've re-written it last
week to be the new style. Where a control is a bit onerous, consider
using MAY for low value apps, SHOULD for medium value apps, and MUST
for high value apps. I've done that a bit in the Authentication re-
write, and it will be a continuing theme throughout the Developer
Guide, so that the Developer Guide scales from low value / small dev
teams through to high value / large dev teams.
UML sequence diagrams, particularly for the logout phase, are welcome.
Code examples should use ESAPI. There's ESAPI for PHP coming along, so
if you want to help finish the session bits of ESAPI for PHP so your
code snippets work, let me know as I'm the project leader for that
effort too. If you need some of ESAPI for PHP to exist or for me to
document how it will work (as most of it is missing :-), let me know
and I'll try to polish that code enough to allow you to write working
I'd suggest writing the new material at the top of the page, keeping
the old stuff until we're ready to delete it. Feel free to re-use the
old material if that helps speed things up, but remember, we're not
keeping any of the material about attacks. As long as the old material
supports the new mission, we're okay! :-)
Let me know when you're ready for a review, or if you get stuck.
On Nov 21, 2008, at 10:00 PM, Timothy McGuire wrote:
> I'd like to help with the guide and since I'm new, I'd like to start
> with small assignments and work my way up from there. So, tell me
> what to do and I'll do it.
> Tim McGuire.
> Owasp-guide mailing list
> Owasp-guide at lists.owasp.org
Andrew van der Stock
Lead Author, OWASP Guide and OWASP Top 10
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-guide