Session management guidelines

The following is a list of session management guidelines:

  • No matter the authentication mechanism used, always implement session management and validate the session on every page and/or request.
  • Use long, random, and unique session identifiers. Favor the mechanisms already implemented in major web development languages such as ASP.NET, PHP, and J2EE.
  • Generate new session IDs for users on log in and log out. Permanently invalidate the used ones.
  • Invalidate sessions and log users out after a reasonable time of inactivity—15 to 20 minutes. Provide a good balance between security and usability.
  • Always give a user the explicit option to log out; that is, having a log out button/option.
  • When using session cookies, ...

Get Web Penetration Testing with Kali Linux - Third Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.