Recently someone came to me with a question on how to prevent users of a web application from misusing the session. Specifically, she wanted to know how to prevent users from copying a cookie from another user and then using that to stay logged in for a long time.
Digging into the subject a bit, it became clear that session attacks are one of the tricky ones to test and protect against, as every countermeasure that you take has some negative effects also on the user (either as a flexibility or user experience trade-off)
As described in this link, http://www.lucato.it/session-security ; the session atttacks fall into three categories : Session pollution, Session hijacking and Session Fixation.
This link http://www.acros.si/papers/session_fixation.pdf gave a background on the need of session and details about the session fixation and session Hijacking, and the possible measures that the developer can take to ward off these attacks.
However the list of countermeasures is always a trade-off, as said before.
A list of measures that are not much restrictive from a user experience point of view, and are effective from a security point of view is needed.
Some useful measures :
- The sessions expire in 30 minutes
- The cookies are configured as httpOnly and secure (not all browsers support this, notably Opera and Safari)
- Randomly change the session ID
- Invalidate any previous sessions on login each time, with the consequence that you can have only one login instance active at a time.
