A “session” refers to a temporary interaction between a user and a web application, typically beginning when a user logs in and
ending when they log out or after a certain period of inactivity. These sessions can get identified by a session ID.
Definition: Session hijacking, also known as session stealing, occurs when an unauthorized user gains access to a valid session, that can be through the session ID.
Threat: Unauthorized access to sensitive user information, that is information that a user once authorized can see or have.
Implement SSL for encrypting cookies and set a limited time period for expiration.
Implementing SSL would ensure that session ID are available to view in plain text, reducing the expiration time will ensure that new session ID are generated frequently.
// Enable SSL for encrypting cookies
<httpCookies requireSSL="true" />
// Set a limited session timeout
Avoid Using URI Cookie-Less Sessions:
Session ID are usually stored in small text files on your devices called cookies. Cookie-Less sessions stores these session ID in the URI or the web address instead of the cookie file.
// Ensure cookie-less mode is not specified
Reset Session on User Logout:
Clearing session data upon user logout, which include unique identifiers that are identifying your session, to prevent lingering session-related data and reducing risk.
// Reset session on user logout
Generating Lengthy Session Keys:
Using lengthy and complex session keys to prevent guessing attacks. Session ID that identify the session are easy to guess could lead to unauthorized access. Hence we generate lengthy and complex session keys.
// Generate lengthy session keys
Session Fixation Attack:
Definition: A session fixation attack occurs when an attacker sets a user’s session ID instead of the user himself or herself, leading to unauthorized access.
Implement session fixation protection by regenerating session IDs after login.
// Regenerate session ID after login SessionIDManager.RegenerateID();
Preventing Session Cookies from Client-Side Script Attacks. Protecting against attacks that manipulate session cookies (small text files on your device) through client-side scripts.
An HttpOnly Cookie is a tag added to a browser cookie that prevents client-side scripts from accessing data, only server can access the data.
SameSite attribute (defined in RFC6265) allows you to declare if your cookie should be restricted to a first-party or same-site context. It’s helpful to understand exactly what ‘site’ means here. The site is the combination of the domain suffix and the part of the domain just before it. For example, the www.blog.globaldigitalsecurity.ca domain is part of the globaldigitalsecurity.ca site which means your cookie can only be availed/accessed by your website.
// Secure session cookies <httpCookies httpOnlyCookies="true" sameSite="Strict" />
You can take Secure development courses online at the below location!
You can take Secure development courses instructor led below!
Some supplementary material for you to prepare for certification!