[Owasp-guide] requesting assignments

Andrew van der Stock vanderaj at owasp.org
Mon Nov 24 13:58:58 EST 2008

Hi there,

Can I please assign you the session management chapter?

It needs some TLC - as in a near total re-write. Do not discuss  
attacks or vulnerabilities - these are discussed at length in the  
other two Guides, but only include what a developer or an architect or  
dev lead needs to *do* to use sessions safely.

This should be the outline (feel free to re-order):

* Architectural Goals - write last, I can help if you get stuck
* Use only the frameworks session manager
* Ensure idle, absolute timeouts are as short as practical
* Store privileged state only on trusted devices (not on the client)
* Ensure all pages have a logout button, and that it works effectively  
(describe how to do this - and use ESAPI as a code example)
* Rotate session IDs on transition to SSL, login, privileged actions  
(high value apps), and upon logout
* Ensure session re-writing is off (e.g. c:url in J2EE, describe  
configuration items in PHP, .NET, J2EE, etc)
* Ensure session IDs are never logged
* Ensure that session failures are logged properly so they can be  
* Things not to do (if necessary)
* References - definitely include links to the ADSR session management  
nodes, Testing and Code Review Guides, and the Top 10 2007's A7, but  
feel free to include others as you see fit.

Please look at the Authentication chapter - I've re-written it last  
week to be the new style. Where a control is a bit onerous, consider  
using MAY for low value apps, SHOULD for medium value apps, and MUST  
for high value apps. I've done that a bit in the Authentication re- 
write, and it will be a continuing theme throughout the Developer  
Guide, so that the Developer Guide scales from low value / small dev  
teams through to high value / large dev teams.

UML sequence diagrams, particularly for the logout phase, are welcome.

Code examples should use ESAPI. There's ESAPI for PHP coming along, so  
if you want to help finish the session bits of ESAPI for PHP so your  
code snippets work, let me know as I'm the project leader for that  
effort too. If you need some of ESAPI for PHP to exist or for me to  
document how it will work (as most of it is missing :-), let me know  
and I'll try to polish that code enough to allow you to write working  
example code.

I'd suggest writing the new material at the top of the page, keeping  
the old stuff until we're ready to delete it. Feel free to re-use the  
old material if that helps speed things up, but remember, we're not  
keeping any of the material about attacks. As long as the old material  
supports the new mission, we're okay! :-)

Let me know when you're ready for a review, or if you get stuck.


On Nov 21, 2008, at 10:00 PM, Timothy McGuire wrote:

> I'd like to help with the guide and since I'm new, I'd like to start  
> with small assignments and work my way up from there.  So, tell me  
> what to do and I'll do it.
> Thanks,
> Tim McGuire.
> http://www.phpsolvent.com/wordpress
> _______________________________________________
> Owasp-guide mailing list
> Owasp-guide at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-guide

Andrew van der Stock
Lead Author, OWASP Guide and OWASP Top 10

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-guide/attachments/20081124/0124d6ac/attachment.html 

More information about the Owasp-guide mailing list