[Owasp-cincinnati] Generate different session id for security

jcombs10 at cinci.rr.com jcombs10 at cinci.rr.com
Thu Jun 19 10:30:57 EDT 2008


You are correct that carrying forward any session contents must be addressed.  The OWASP Enterprise Security API (ESAPI) provides a mechanism to do this.  See DefaultHttpUtilities.changeSessionIdentifier() in their reference implementation.

It's a pretty straightforward process: copy all the attribute references from the current session to a temporary store, invalidate the current session and start a new one, and copy all the attribute references from the temporary store to the new session.


Joe Combs
Staff Consultant
SEI-Cincinnati, LLC
A Systems Evolution, Inc. Company
5191 Natorp Drive, Suite 410
Mason, OH 45040
Phone 513.459.1992

---- "Zhou wrote: 
> Hi there, 
> 
>  
> 
> I read that a Web app needs to issue a different session id when user
> enters protected page (e.g., from HTTP to HTTPS), or enters a more
> privileged page. This all make sense for security. But I do not know
> what is the best way to carry session data over to the new session?
> 
>  
> 
> User would not be happy if after he enters HTTPS page or a more
> privileged page, all his data in previous session is lost. Is this an
> issue or am I missing something?
> 
>  
> 
> Thanks,
> 
> Yan
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Confidentiality Notice: The information contained in this electronic transmission is confidential and may be legally privileged. It is intended only for the addressee(s) named above. If you are not an intended recipient, be aware that any disclosure, copying, distribution or use of the information contained in this transmission is prohibited and may be unlawful. If you have received this transmission in error, please notify us by telephone (513) 229-5500 or by email (postmaster at MedPlus.com). After replying, please erase it from your computer system.
> 
> 
>


More information about the Owasp-cincinnati mailing list