Sometimes, less is more?
Whenever I get longwinded while explaining something, my coworkers will gently remind me that less is more. In web transactions, it is often the case that HTTP requests and responses will disclose multiple traceable elements that, rather than adding clarity to the session's state, will instead undermine its security. We've seen multiple applications in earlier chapters use combinations of PHPSESSID or JSESSID, username, user number, session token, and so on used to track the same conversation. While I am all about providing assurances that something is well tracked, if the application still allows state to be maintained with only a subset of those session management parameters in place, then finding out which ones ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access