[OWASP-GUIDE] Session Management

Adrian Wiesmann awiesmann at swordlord.org
Fri Mar 5 10:44:34 EST 2004


On Thu, 4 Mar 2004 18:11:17 -0800 (PST)
Chris Shiflett <chris at shiflett.org> wrote:

> --- Adrian Wiesmann <awiesmann at swordlord.org> wrote:
> > - It should be explicitly said that the client needs to be
> > re-authenticated with every new request.
> 
> I haven't read this document yet, so my interpretation of this
> suggestion might be out of context. However, this strikes me as being
> potentially incorrect and dangerous information.
> 
> In my opinion, the client should only be authenticated once. Thereafter,
> the client only needs to be identified. This is the fundamental theory
> of state management. Of course, secure identification can be
> challenging.
> 
> Suggesting that the client be authenticated for every single request
> will lead people to expose authentication credentials (over the
> Internet) more than necessary. This is an unnecessary risk, and I would
> identify this as a potential problem in any security audit that I
> performed.

Hmm. What you say about misleading the developers in believing that they
should send authentication credentials over the net is actually a problem.

Andrew makes an excellent job about writing what should be done so we most
probably can leave that point to the garbage :) . Thank you Chris for
pointing this out. The risk of having developers think something wrong
about this is bigger than the benefit of having some text in the Guide
explaining that there is *really* no state in HTTP. 

I think this section is OK (except the images). I will head over to the
next chapter and get into contact with Ray to see what I can get my teeth
into next.

Regards,
Adrian




More information about the Owasp-guide mailing list