Friday, October 27, 2006

Security considerations for session management in applications

  1. Authentication cookies are protected in transit by using SSL
  2. The contents of authentication cookies are encrypted.
  3. A session timeout has been factored in the design of the application
  4. Session ids generated for tracking sessions should not be guessable numbers (e.g.. First user who visits the site gets session no. 1, the second user gets 2 and so on.)
  5. Session ids are not reused for a long cycle.
  6. Design supports an elaborate mitigation for session hijacking attacks.
  7. Use one session token with two values during authentication. One value before authentication and one after.
  8. The system does not rely too much on persistent cookies
  9. Guards are present for confidentiality and integrity of cookies.
  10. Are sensitive cookies marked as "secure"
  11. Does the application rely on IP filtering for security?

No comments: