The OWASP Application Security Verification Standard is used in the development of web applications.
Ensure secure session management by establishing, maintaining, and terminating sessions with strong security measures. For example, generate unique, unpredictable session identifiers and enforce session expiration policies to minimize exposure to session hijacking attacks; Implement secure cookie attributes and restrict session reuse across devices and locations; Continuously log, audit, and monitor session-related activities to detect anomalies and potential security threats.
V3.1 Fundamental Session Management Requirements Use unique, high-entropy session IDs and ensure they are confidential. Limit session lifetime and ensure sessions are invalidated on logout. V3.2 Session Binding Requirements Bind sessions to specific contexts (IP, device) to prevent hijacking. Regenerate session IDs when context changes. V3.3 Session Logout and Timeout Requirements Timeout sessions after inactivity and ensure secure logout that invalidates the session on the server. V3.4 Cookie-based Session Management Use Secure, HttpOnly, and SameSite flags for cookies to secure them. Set cookie expiration for session cookies. V3.5 Token-based Session Management Use signed and encrypted tokens with short expiration and token validation on each request. V3.6 Re-authentication from a Federation or Assertion Ensure re-authentication for federated logins (e.g., OAuth, SAML) with strong token validation. V3.7 Defenses Against Session Management Exploits Regenerate session IDs to prevent session fixation and monitor for suspicious session activity. Implement rate limiting to prevent brute-force attacks. By regenerating session IDs, binding sessions to contexts, and ensuring secure cookie management, you can effectively secure user sessions.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-11-03-01-01 | Establish secure session management | Implement secure session handling mechanisms, ensuring unique session IDs and protection against session fixation and hijacking. Use cryptographically strong session identifiers. | Implementation | Security Teams, Software Architects |
| SSS-02-11-03-01-02 | Enforce secure cookie attributes | Configure cookies with security attributes such as HttpOnly, Secure, and SameSite to protect against Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks. | Development | Security Teams |
| SSS-02-11-03-01-03 | Implement session expiration policies | Prevent session timeout exploitation by enforcing session expiration, automatic logout for inactive users, and short-lived session tokens. Require re-authentication for sensitive actions. | Deployment | Security Teams, Compliance Officers |
| SSS-02-11-03-01-04 | Ensure proper logout and session revocation | Implement a robust logout mechanism that invalidates session tokens and prevents reuse. Ensure session revocation occurs on logout or after authentication context changes. | Post-deployment | Security Engineers, DevOps Teams |
| SSS-02-11-03-01-05 | Monitor and audit session activities | Continuously monitor active sessions, detect anomalies, and log session-related events to identify potential security risks. Implement automated session termination for detected threats. | Post-deployment | Security Teams, Compliance Officers |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0971) OWASP Application Security Verification Standard OWASP Application Security Verification Standard |