No matter how effective an application is at ensuring that the session tokens it generates do not contain any meaningful information and are not susceptible to analysis or prediction, its session mechanism will be wide open to attack if those tokens are not handled carefully after generation. For example, if tokens are disclosed to an attacker via some means, the attacker can hijack user sessions even if predicting the tokens is impossible.
An application's unsafe handling of tokens can make it vulnerable to attack in several ways.
“Our token is secure from disclosure to third parties because we use SSL.”
Proper use of SSL certainly helps protect session tokens from being captured. But various mistakes can still result in tokens being transmitted in cleartext even when SSL is in place. And various direct attacks against end users can be used to obtain their tokens.
“Our token is generated by the platform using mature, cryptographically sound technologies, so it is not vulnerable to compromise.”
An application server's default behavior is often to create a session cookie when the user first visits the site and to keep this available for the user's entire interaction with the site. As described in the following sections, this may lead to various security vulnerabilities in how the token is handled.
This area of vulnerability arises when the session token is transmitted across the ...