[OWASP-GUIDE] White paper: Authentication and Session Management on the Web

Paul Johnston paul at westpoint.ltd.uk
Thu Feb 10 05:00:08 EST 2005


Yes, the URL I sent is permanent. Thanks for the suggested updates to 
the links, however I am treating this paper as immutable. It was 
submitted as my GSEC assignment and that submission cannot be updated.

I did mention the random auth token for forms, although it doesn't get a 
lot of space. In the paper what I propose is "generate a random token 
when a form is retrieved, and check it matches when the form is 
submitted". This does work fine, but I think it's actually more than you 
really need. There's no reason for the auth token to be different for 
each form. In the last web app I developed, I allocate an auth token at 
login time, at the same time as the SID. This is included as a hidden 
field on all forms, and all form submissions check it.

I've got more to say on referers in another message...

Best wishes,


>I just skimmed through this, and it looks very good. Is this going to be
>its permanent URL? I would like to provide a link to it in our library
Paul Johnston, GSEC
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul at westpoint.ltd.uk
web: www.westpoint.ltd.uk

More information about the Owasp-guide mailing list