IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [session-management]

Management of semi-permanent interactive information interchange between two or more communicating devices, or between a computer and user

550 questions
124
votes
3 answers

Session Authentication vs Token Authentication

I am trying to get a handle on some terms and mechanisms and find out how they relate to each other or how they overlap. Authenticating a theoretical web application and mobile application is the focus. The focus is on the exact difference between…
Hoax
  • 2,705
  • 4
  • 13
  • 11
98
votes
8 answers

Do we need to logout of webapps?

A quick Google search doesn't reveal whether it is important to logout of webapps (online banking, Amazon, Facebook, etc.), or if I am safe just closing the tab or browser. I am sure I heard on some TV show that it's best to logout... What possible…
Angelo.Hannes
  • 1,099
  • 1
  • 9
  • 12
52
votes
3 answers

Why is it insecure to store the session ID in a cookie directly?

I am learning about session middleware. You have to supply a secret or the middleware complains: app.use(session({ secret: "abc", resave: false, saveUninitialized: false, store: new MongoStore({ mongooseConnection: mongoose.connection …
Angular noob
  • 717
  • 1
  • 6
  • 7
50
votes
4 answers

Why aren't sessions exclusive to an IP address?

Given the appropriate XSS vulnerability, an attacker can hijack somebody's session with the data that's passed to and from the server. Why aren't sessions always exclusive to the IP they were started on? i.e., when would a website/service need to…
user81147
42
votes
4 answers

Demystifying Web Authentication (Stateless Session Cookies)

I'm currently researching user authentication protocols for a website I'm developing. I would like to create an authentication cookie so users can stay logged in between pages. Here is my first bash: cookie =…
Joony
  • 521
  • 1
  • 5
  • 6
41
votes
5 answers

Why do you need to close your browser window after logging out of a website?

I might be wrong, but I believe the request to close the browser window after logging out is common, though it's completely unclear what the risks might be of failing to close a browser window (assuming the browser is completely up-to-date) and why…
blunders
  • 5,052
  • 4
  • 28
  • 45
40
votes
1 answer

What cookie attacks are possible between computers in related DNS domains (*.example.com)?

Here, several servers in the same DNS domain emit cookies under a variety of settings (scope, HTTPS, Secure) and another host emits a cookie with the same value. Example Suppose a user has the following cookie set at secure.example.com: authCookie…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
38
votes
4 answers

avoid hitting DB to authenticate a user on EVERY request in stateless web app architecture?

Summary Once a user logs into a web site and his username/password credentials are verified and an active session is established, is it possible to avoid hitting the DB for each and every request from that user? What is the recommended method of…
onlinespending
  • 483
  • 1
  • 5
  • 6
32
votes
6 answers

Can't a user change his session information to impersonate others?

Can't an attacker just change his/her session (or cookie because it's stored locally) information then fool the server that he's the legitimate user? Say for example, if a website uses the database id as an identifier, the attacker logs in to his…
mzcoxfde
  • 585
  • 2
  • 5
  • 12
28
votes
5 answers

Should concurrent logins be allowed?

We have a web app (Django) that logs users out if they haven't made a request within 1 hour. From a security point of view, is it good practice to also block concurrent log ins? In other words, if a user logs in on his PC and then logs in from their…
Kritz
  • 465
  • 2
  • 6
  • 9
27
votes
4 answers

How to hijack a session?

Despite the blatant title of the question, this is actually for a genuine purpose. My site uses PHP code like this: $select="select id from tableA where user_id='".$_SESSION['sess_user_id']."'"; I'm really trying to think like a hacker and…
Steve
  • 469
  • 1
  • 6
  • 6
25
votes
3 answers

Choosing a session ID algorithm for a client-server relationship

I am developing an application which has a client-server relationship, and I am having trouble deciding on the algorithm by which the session identifier is determined. My goal is to restrict imposters from acquiring other users' private data. I'm…
FThompson
  • 352
  • 1
  • 3
  • 9
24
votes
1 answer

What kind of hashing to use for storing REST API tokens in the database?

We have a REST API that communicates with a mobile front-end. After submitting a one time password, the backend will issue a token (random UUID v4 string) for the mobile app to use as authentication on subsequent requests. The server will store a…
maniciam
  • 343
  • 2
  • 4
23
votes
4 answers

Why users want to disable cookies?

I just started to create a new web application. In the documentation, it is written that I have to prepare for the situation where users have disabled cookies. This is not the first time I have read this condition. Can anyone explain me why users…
Krystian
  • 677
  • 1
  • 7
  • 11
22
votes
5 answers

Good session practices

What are some good practices for ensuring logins, session IDs and session content are secure for a website?
James T
  • 1,853
  • 1
  • 17
  • 26
1
2 3
36 37