IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [session-management]

Management of semi-permanent interactive information interchange between two or more communicating devices, or between a computer and user

579 questions
12
votes
1 answer

Is this a right technique to create and validate session tokens?

Current token format, creation, verification: vls_k3uGjFsDfA49Ygt8mqNHAtkBuUqRTU6K1KfUCwEiX9Z I am creating session token as follows: Create an array of 32 bytes. Fill the first 28 bytes via PRNG. Calculate checksum (CRC-32) from the 28 bytes and…
neymecc
  • 123
  • 1
  • 6
8
votes
3 answers

What is the state of the art for forcing logout on browser quit?

Background: Most browsers have implemented some form of "Session Restore" functionality as a convenience to users where, if enabled, session cookies will be persisted across browser restarts. Firefox has "Show my windows and tabs from last…
bsterne
  • 91
  • 1
  • 4
5
votes
3 answers

Clearing/changing session id on logout

While reading through the newes OWASP ASVS standard (still beta) I have found a requirement V2.6 saying Verify that the session id is changed or cleared on logout. I do not see a clear point why it is necessary to have the session id changed or…
Marek Puchalski
  • 405
  • 1
  • 4
  • 9
5
votes
2 answers

What are the tradeoffs in allowing logouts of other logged-in sessions?

For instance, Gmail has allowed remote logout since 2008. I think I have seen other sites that allow you to log out all other logged-in sessions. What are the tradeoffs to consider in this session management strategy?
Mark Rushakoff
  • 427
  • 3
  • 10
5
votes
2 answers

In which OSI layer does session hijacking occur?

In which layer of the OSI model does session hijacking occur? I have performed some research on this, and found that the answer is the transport layer. But is the transport layer not the place where the routing takes place? And when we use packet…
Panda
  • 328
  • 2
  • 13
4
votes
4 answers

Is it correct to use form field(hidden) for storing Session Token

Is it correct to use form field(hidden) for storing Session Token instead of using Cookies? What is the security risk associated with it?
WxyZ
  • 87
  • 1
  • 2
  • 3
4
votes
2 answers

How to invalidate a session on browser closure?

I have a web application where web session need to expire after stipulated period of time. However capturing browser closure event is not a good idea to invalidate a user session. What can be an alternative solution to invalidate a user session on…
ABC
  • 101
  • 1
  • 1
  • 2
4
votes
1 answer

How often should secrets be regenerated for token-authentication?

When implementing token-based authentication, is it recommended to regenerate secrets on a periodic basis? This is assuming the tokens generated have expiration.
drum
  • 143
  • 4
4
votes
2 answers

Is allowing users to sign out of all other sessions good or bad?

I'm not really sure if this feature is a good security idea, but would it be good to allow a user to sign out of all other sessions? Or would this be a bad idea, because I see a good amount of pros, but there is one con that bothers me. Pros: Sign…
UnderMyWheel
  • 361
  • 2
  • 13
3
votes
1 answer

At what level does session key entropy become a real-world issue?

Say we have a session key of between 0000000000-9999999999, providing 33.2bits of entropy. This is far short of the 128bits recommended by most. Of course, it is normally trivial to change session keys to be of reasonable length, but there are a lot…
Cybergibbons
  • 1,251
  • 2
  • 9
  • 21
3
votes
2 answers

Is the Guid.NewGuid method in .NET secure enough to be a session id?

At the company I work at, we use the output of the Guid.NewGuid method as a session id. So when a customer logs into our website, the output of Guid.NewGuid becomes the customer's session id and is used to authenticate all subsequent requests (until…
Weare Mwam
  • 45
  • 6
3
votes
1 answer

Why are user names generally not stored in session cookies and provided with session IDs?

I have been reading a little bit about security lately and wondered this. Why are session IDs not essentially temporary passwords linked to the user name? Both being sent from the client and checked by the server with each request. From what I can…
Matthew
  • 33
  • 2
3
votes
1 answer

Fear regarding session tokens

I have read recently that sessions work as follows: Your credentials are checked. A token is generated and stored on server side, eg UUID, and this token is given to the client where it is stored for the duration of the session. When the user logs…
Dmytro
  • 351
  • 1
  • 7
2
votes
0 answers

logout all devices or only one

I wonder which is the best practice in terms of security. Assuming an application where one can login from multiple devices in parallel what I should expect from "logout" button? To logout the user closing all the active sessions or to logout the…
Davide C
  • 121
  • 3
2
votes
1 answer

What are the security benefits of creating a session vs. just using Google ID token every time in my server back end?

I'm using Google Sign In to authenticate my users with my server back end via my Android app. So far I am able to sign in and obtain an ID token, which I then send to my server back end for verification, which I can do using the PHP Google API…
user156220
1
2 3