[Owasp-cincinnati] Session Destroy References
Marco M. Morana
marco.m.morana at gmail.com
Thu Jun 25 21:21:53 EDT 2009
I think the session management of this page is not updated with the explicit recommendation of invalidating session at login to prevent session fixation/hijacking.
It is mentioned to re-generate tokens prior to any significant transaction, indeed should be more detailed mentioning authentication/login as a transaction
OWASP session fixation is covered here:
http://www.owasp.org/index.php/Session_Fixation
and here
http://www.owasp.org/index.php/Testing_for_Session_Fixation_(OWASP-SM-003)
regeneration of session upon authentication is also covered herein
http://www.owasp.org/index.php/Top_10_2007-A7
and the code review guide
http://www.owasp.org/index.php/Codereview-Session-Management
Regards
Marco
----- Original Message -----
From: Edward Sumerfield
To: OWASP Cincinnati
Sent: Thursday, June 25, 2009 5:24 PM
Subject: [Owasp-cincinnati] Session Destroy References
I was looking for a reference to send someone on recommendations on why to destroy the web session on login and logout. I could only find the "Destroy Session on Logout" reference in this OWASP document but nothing for the login process. Did I miss something or is it something we need to add?
http://www.owasp.org/index.php/Session_Management
Ed Sumerfield
Ed Sumerfield Consulting, LLC
http://www.edsumerfieldconsulting.com
513-295-7016
------------------------------------------------------------------------------
_______________________________________________
Owasp-cincinnati mailing list
Owasp-cincinnati at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-cincinnati
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-cincinnati/attachments/20090625/f1461f43/attachment.html
More information about the Owasp-cincinnati
mailing list