[Owasp-guide] Status updates please

Timothy McGuire tim.e.mcguire at gmail.com
Mon Dec 29 20:59:20 EST 2008


Hi Andrew and List:

Here is my work product.
http://www.owasp.org/index.php/Session_Management

I need to build a logout UML diagram and build some more ESAPI code into my
piece, but a lot of the writing is done / ready for review.

I sent an email to the list with a bunch of questions for clarifications and
I'd like a short answer to at least some of those before I continue.  I'll
copy them here.
I have some of the session management section rewritten.  Notes below.

1.  The ASDR for session management is blank.  Should I link there anyway?
2.  I included a paragraph about cryptographically strong session IDs and
appropriately large keyspace and character sets.  I put it under the "Only
Use the framework's session manager" section.
3.  I included a section for "Associating Session Information With IP
Address" as stated in the version I am replacing.  I don't see any ESAPI
code that does this?
4.  When we have items like "make idle time-out as low as practical" The
guide seems to avoid making any concrete recommendations.  Are we giving
guidance for how to come up with these numbers?
5.  Does ESAPI have a handler that logs and / or defends against multiple
attempts to continue a session based on an invalid session ID?  I've been
looking for uses of isRequestedSessionIdValid.  If it doesn't exist, I'd
like to write some sample code for this, if this be deemed valuable.
6.  I added section about "validate session IDs that come from client"
7.  Should we keep the Cold Fusion section?
8.  In reading about logging session IDs, Instead of finding out how not to
log them, I'm finding lots of advice about how to log session IDs for
debugging purposes.    For example:
http://saloon.javaranch.com/cgi-bin/ubb/ultimatebb.cgi?ubb=get_topic&f=64&t=001675.

9.  Copied section about Page and Form tokens from existing guide.  Does it
belong here?
On Wed, Dec 17, 2008 at 11:17 PM, Andrew van der Stock
<vanderaj at owasp.org>wrote:

> Hi there,
>
> Can folks with assigned work to give a quick one or two paragraph update to
> the list, including a URL to your work product.
>
> The due date for this round is Dec 31, 2008. The next round will start Jan
> 1, and finish in February.
>
> thanks,
> Andrew
> _______________________________________________
> Owasp-guide mailing list
> Owasp-guide at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-guide
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-guide/attachments/20081229/c31aac13/attachment.html 


More information about the Owasp-guide mailing list