[OWASP-GUIDE] Session Management

Adrian Wiesmann awiesmann at swordlord.org
Thu Mar 4 17:37:01 EST 2004

Hi Andrew

> Here is my partial re-write (it's a lot of new text) with all of the
> TODO items fixed.

I was now able to read your Session Management chapter and I liked it very
much! Thanks again.

> There are additionally two images I'd like to include as well, but I
> don't know the DTD well enough to put in the appropriate tags to include
> them. I generated them in Visio, and exported them to JPEG.

Please send them to me or put them into the cvs into the correct directory
so I could add them to the chapter.

> Can everyone please read, and suggest any changes which would improve
> the document? The main one I can think off the top of my head are
> examples.

I do have only these small toughts:

- It should be explicitly said that the client needs to be
re-authenticated with every new request.
- A problem with state at the server is the fact, that a user never has to
come back. Which means that storing state in the memory can become a
problem. (And which is btw a problem when you try to store a COM object in
an ASP Session :) )
- It is a very bad behaviour when a Web Application crashes only because
the cookie was expected but missing (or containing wrong/unexpected data).

Thats it for the moment.

My plan is, to get your chapter finished before the next week so I can go
on with the next tasks.


P.S. Ray: I would prefer to head over to Cryptography. Hows the current

P.S. Mark: Are you still in contact with the editor/publisher or should I
re-negotiate with them?

More information about the Owasp-guide mailing list