Secure session management

Session management is as important as authentication. In a stateless protocol like HTTP, the user/client is remembered by the server with the help of session cookies. A cookie is characterized by four attributes: name, length, entropy, and content.

In HTTP, there are different kinds of cookies. Session – the one that lives as long as the browser is active. Persistent – the cookie that lives till a given date or time. Usually the expiry time is set using ‘Max‘ or ‘Expires‘ flags. Secure – this ensure that the cookie is used only with encryption and is never sent as plain text. HttpOnly – this cookie is used only in Http headers. It can’t be read or processed by client side scripts like java script, vbscript etc. The main idea is to prevent cross site scripting.  Then we have more cookies like SameSite, third party cookie, SuperCookie.

Following are some important points to remember in session handling:

  • Cookies should be transmitted only as HTTP header.
  • Never allow cookies in GET/POST parameters. This can lead to session fixation or CSRF attacks.
  • There should be different cookies after a privilege escalation. (Eg:- before and after login)
  • Cookies should be refreshed in regular intervals to avoid replay attacks.
  • A session cookie with higher privilege (like authentication cookie) should be always sent with Secure flag via HTTPS.
  • Use HttpOnly to avoid client side scripts using the cookie.
  • Set the Path and Domain variables properly. Otherwise, this can lead to a valid cookie in unexpected domains leading to xss attacks.
  • Perform proper testing on session timeouts to make sure that an timed out cookie is invalid. Otherwise this could lead to replay attacks.

Burp suite is an interesting tool to perform testing on session management. Burp Proxy is interesting to intercept every request and look at the headers manually and inspect them. The Burp intruder could be used for testing session timeouts/termination. We can set the Burp intruder to send requests with increasing delay and then check timeouts in the request engine in Intruder. The Burp Sequencer  is another interesting tool. This gives graphical representation of statistical analysis on bitwise as well as character strength of session. This is based on the entropy and randomness of the bits within a collected sample of 20,000 cookie samples.

You can find more reading here: session.