[OWASP-GUIDE] Session Management

Chris Shiflett chris at shiflett.org
Thu Mar 4 21:11:17 EST 2004

--- Adrian Wiesmann <awiesmann at swordlord.org> wrote:
> - It should be explicitly said that the client needs to be
> re-authenticated with every new request.

I haven't read this document yet, so my interpretation of this suggestion
might be out of context. However, this strikes me as being potentially
incorrect and dangerous information.

In my opinion, the client should only be authenticated once. Thereafter,
the client only needs to be identified. This is the fundamental theory of
state management. Of course, secure identification can be challenging.

Suggesting that the client be authenticated for every single request will
lead people to expose authentication credentials (over the Internet) more
than necessary. This is an unnecessary risk, and I would identify this as
a potential problem in any security audit that I performed.

Again, if I completely misinterpreted this suggestion, then you can safely
ignore this message. I'm also happy to discuss further, and I can
elaborate on my reasoning.


Chris Shiflett - http://shiflett.org/

PHP Security - O'Reilly
     Coming mid-2004
HTTP Developer's Handbook - Sams
PHP Community Site

More information about the Owasp-guide mailing list