[Owasp-cincinnati] Session Destroy References

Marco M. Morana marco.m.morana at gmail.com
Thu Jun 25 21:21:53 EDT 2009


I think the session management of this page is not updated with the explicit recommendation of invalidating session at login to prevent session fixation/hijacking.
It is mentioned to re-generate tokens prior to any significant transaction, indeed should be more detailed mentioning authentication/login as a transaction

OWASP session fixation is covered here:
http://www.owasp.org/index.php/Session_Fixation

and here
http://www.owasp.org/index.php/Testing_for_Session_Fixation_(OWASP-SM-003)

regeneration of session upon authentication is also covered herein
http://www.owasp.org/index.php/Top_10_2007-A7

and the code review guide
http://www.owasp.org/index.php/Codereview-Session-Management

Regards

Marco

  ----- Original Message ----- 
  From: Edward Sumerfield 
  To: OWASP Cincinnati 
  Sent: Thursday, June 25, 2009 5:24 PM
  Subject: [Owasp-cincinnati] Session Destroy References


  I was looking for a reference to send someone on recommendations on why to destroy the web session on login and logout. I could only find the "Destroy Session on Logout" reference in this OWASP document but nothing for the login process. Did I miss something or is it something we need to add?

      http://www.owasp.org/index.php/Session_Management

  Ed Sumerfield
  Ed Sumerfield Consulting, LLC
  http://www.edsumerfieldconsulting.com
  513-295-7016




------------------------------------------------------------------------------


  _______________________________________________
  Owasp-cincinnati mailing list
  Owasp-cincinnati at lists.owasp.org
  https://lists.owasp.org/mailman/listinfo/owasp-cincinnati
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-cincinnati/attachments/20090625/f1461f43/attachment.html 


More information about the Owasp-cincinnati mailing list