[Owasp-guide] requesting assignments
tim.e.mcguire at gmail.com
Fri Dec 5 16:45:27 EST 2008
I have some of the session management section rewritten. Notes below.
1. The ASDR for session management is blank. Should I link there anyway?
2. I included a paragraph about cryptographically strong session IDs and
appropriately large keyspace and character sets. I put it under the "Only
Use the framework's session manager" section.
3. I included a section for "Associating Session Information With IP
Address" as stated in the version I am replacing. I don't see any ESAPI
code that does this?
4. When we have items like "make idle time-out as low as practical" The
guide seems to avoid making any concrete recommendations. Are we giving
guidance for how to come up with these numbers?
5. Does ESAPI have a handler that logs and / or defends against multiple
attempts to continue a session based on an invalid session ID? I've been
looking for uses of isRequestedSessionIdValid. If it doesn't exist, I'd
like to write some sample code for this, if this be deemed valuable.
6. I added section about "validate session IDs that come from client"
7. Should we keep the Cold Fusion section?
8. In reading about logging session IDs, Instead of finding out how not to
log them, I'm finding lots of advice about how to log session IDs for
debugging purposes. For example:
Should the guide come out strongly against this practice?
9. Copied section about Page and Form tokens from existing guide. Does it
On Tue, Nov 25, 2008 at 9:37 AM, Timothy McGuire <tim.e.mcguire at gmail.com>wrote:
> sounds good. I'll get started.
> On Mon, Nov 24, 2008 at 10:21 AM, Andrew van der Stock <vanderaj at owasp.org
> > wrote:
>> Hi there,
>> Can I please assign you the session management chapter?
>> It needs some TLC - as in a near total re-write. Do *not* discuss attacks
>> or vulnerabilities - these are discussed at length in the other two Guides,
>> but only include what a *developer* or an *architect* or *dev lead* *needs
>> to *do** to use sessions safely.
>> This should be the outline (feel free to re-order):
>> * Architectural Goals - write last, I can help if you get stuck
>> * Use only the frameworks session manager
>> * Ensure idle, absolute timeouts are as short as practical
>> * Store privileged state only on trusted devices (not on the client)
>> * Ensure all pages have a logout button, and that it works effectively
>> (describe how to do this - and use ESAPI as a code example)
>> * Rotate session IDs on transition to SSL, login, privileged actions (high
>> value apps), and upon logout
>> * Ensure session re-writing is off (e.g. c:url in J2EE, describe
>> configuration items in PHP, .NET, J2EE, etc)
>> * Ensure session IDs are never logged
>> * Ensure that session failures are logged properly so they can be tracked
>> * Things not to do (if necessary)
>> * References - definitely include links to the ADSR session management
>> nodes, Testing and Code Review Guides, and the Top 10 2007's A7, but feel
>> free to include others as you see fit.
>> Please look at the Authentication chapter - I've re-written it last week
>> to be the new style. Where a control is a bit onerous, consider using MAY
>> for low value apps, SHOULD for medium value apps, and MUST for high value
>> apps. I've done that a bit in the Authentication re-write, and it will be a
>> continuing theme throughout the Developer Guide, so that the Developer Guide
>> scales from low value / small dev teams through to high value / large dev
>> UML sequence diagrams, particularly for the logout phase, are welcome.
>> Code examples should use ESAPI. There's ESAPI for PHP coming along, so if
>> you want to help finish the session bits of ESAPI for PHP so your code
>> snippets work, let me know as I'm the project leader for that effort too. If
>> you need some of ESAPI for PHP to exist or for me to document how it will
>> work (as most of it is missing :-), let me know and I'll try to polish that
>> code enough to allow you to write working example code.
>> I'd suggest writing the new material at the top of the page, keeping the
>> old stuff until we're ready to delete it. Feel free to re-use the old
>> material if that helps speed things up, but remember, we're not keeping any
>> of the material about attacks. As long as the old material supports the new
>> mission, we're okay! :-)
>> Let me know when you're ready for a review, or if you get stuck.
>> On Nov 21, 2008, at 10:00 PM, Timothy McGuire wrote:
>> I'd like to help with the guide and since I'm new, I'd like to start with
>> small assignments and work my way up from there. So, tell me what to do and
>> I'll do it.
>> Tim McGuire.
>> Owasp-guide mailing list
>> Owasp-guide at lists.owasp.org
>> Andrew van der Stock
>> Lead Author, OWASP Guide and OWASP Top 10
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-guide