I'm looking for general advice on how to design a secure session management system. The system I have in place currently follows this design, but it just dawned on me how stupid it is to put all that crap in every URL, especially when you get web indexers / Google Analytics involved. I'd hate to think that I just completely wasted my time following a terribly-written whitepaper, so I guess my question is, is it worth it to re-write my session management system, and if so, how in general should I design it? Thanks.
Asked
Active
Viewed 1,320 times
0
-
Any website worth its salt uses cookies. Why can't you? If you can, check out how PHP/Apache and Java/Tomcat store the session in the cookies. That's the current standard, assuming you don't need to worry about load balancing across servers. – Joseph Lust Apr 07 '11 at 21:04
-
Did you read the link I posted, under "Good Session Management"? It does partially use cookies. – Jason B Apr 07 '11 at 21:07
-
1I skimmed over it and am familiar with the three methods. I was just curious why the session state management build into most popular platforms would not work for you out of the box and what special constraints you are facing, since few people write their session management from scratch. – Joseph Lust Apr 08 '11 at 03:26
1 Answers
0
These two articles should give you more insights -
* http://www.linuxforu.com/2011/02/securing-apache-part-6-attacks-session-management/
* https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Session_Management
Sam
- 1,358
- 4
- 16
- 30