[OWASP-GUIDE] Session Management
awiesmann at swordlord.org
Thu Mar 4 17:37:01 EST 2004
> Here is my partial re-write (it's a lot of new text) with all of the
> TODO items fixed.
I was now able to read your Session Management chapter and I liked it very
much! Thanks again.
> There are additionally two images I'd like to include as well, but I
> don't know the DTD well enough to put in the appropriate tags to include
> them. I generated them in Visio, and exported them to JPEG.
Please send them to me or put them into the cvs into the correct directory
so I could add them to the chapter.
> Can everyone please read, and suggest any changes which would improve
> the document? The main one I can think off the top of my head are
I do have only these small toughts:
- It should be explicitly said that the client needs to be
re-authenticated with every new request.
- A problem with state at the server is the fact, that a user never has to
come back. Which means that storing state in the memory can become a
problem. (And which is btw a problem when you try to store a COM object in
an ASP Session :) )
- It is a very bad behaviour when a Web Application crashes only because
the cookie was expected but missing (or containing wrong/unexpected data).
Thats it for the moment.
My plan is, to get your chapter finished before the next week so I can go
on with the next tasks.
P.S. Ray: I would prefer to head over to Cryptography. Hows the current
P.S. Mark: Are you still in contact with the editor/publisher or should I
re-negotiate with them?
More information about the Owasp-guide