Web Session Management

Topics Session Tokens · Storage · Logout · Hijacking · Fixation
01 //

Sessions

A session is a sequence of requests and responses from one browser to one or more sites. Session management authenticates the user once so that all subsequent requests are tied to that user.

Goals
  • Authorize once - user authenticates; all later requests use the session
  • Sessions can be long (e.g., Gmail) or short
  • Without session management, users would constantly re-authenticate
02 //

Session Tokens

The server assigns a token to identify the session. Anonymous tokens can be elevated to logged-in tokens after authentication.

Session Token Flow
GET /index.html
set anonymous session token
GET /books.html
POST /do-login
elevate to logged-in token
POST /checkout
03 //

Storing Session Tokens

Three main options; each has tradeoffs. The best approach is a combination tailored to the application.

Browser Cookie

Set-Cookie

Set-Cookie: SessionToken=fduhye63sfdb - sent with every request. Downside: enables CSRF (browser sends cookie even when user didn't intend the request).

Embed in URL

Link Parameters

https://site.com/checkout?SessionToken=kh7y3b - every request carries token. Downside: leaks via Referer header or if user posts URL publicly.

Hidden Form Field

No Automatic Sending

<input type="hidden" name="sessionid" value="kh7y3b"> - every user action must submit a form or token is lost.

Best Practice

Use a combination of all three - cookie, URL embed, and hidden field - depending on application needs. No single method is perfect.

Token Size

Token size is a concern. Large tokens bloat requests. Cookies have size limits. Tokens expire, but revocation mechanisms should exist.

04 //

The HTTP Referer Header

The Referer header tells the server which page the user came from. Useful for analytics, but creates a privacy and security problem.

Problem

Token Leakage

Referer leaks the URL - including any session token in the query string - to third-party sites when the user clicks a link. If the previous page had ?SessionToken=xyz, that token is sent to the linked site.

Solution

Referer suppression - don't send Referer when linking out. HTM<a rel="noreferrer" href="https://example.com">

05 //

Logout Procedure

Web sites must provide logout for both functionality (switch users) and security (prevent abuse of abandoned sessions).

What Must Happen During Logout
  1. 1
    Delete SessionToken from client - clear cookie, clear stored token
  2. 2
    Mark session token as expired on server - invalidate server-side session state
Common Mistake

Many sites do 1 but not 2. The server never invalidates the token. An attacker who stole the token (e.g., via cleartext HTTP at a café) can continue using it after the user logs out. Especially risky when sites use HTTPS for login but fall back to HTTP afterward.

06 //

Session Hijacking

The attacker steals a legitimate session token and uses it to impersonate the victim. Can be passive (sniff silently) or active (disconnect user; social engineering).

Session Hijacking - Passive Sniffing
Victim
Session ID
Web Server
attacker intercepts
Attacker

Predictable Tokens

Counter Token

User logs in, gets counter value. Attacker can guess other counter values and view other users' sessions. Never use sequential IDs.

Weak MAC Token

Weak cryptographic protection exposes the secret key from a few cookies. Attacker recovers key, derives counter, hijacks sessions.

Token Generation

Use unpredictable tokens. Rely on framework APIs: ASP, Tomcat generateSessionId(), Rails. Example: Token = MD5(current_time, random_nonce)

Session Token Theft

Mixed HTTPS/HTTP

Login over HTTPS, then fallback to HTTP. Token sent in cleartext. Network attacker at wireless café (e.g., Firesheep) intercepts. Also: MITM on SSL handshake.

XSS

Cross-Site Scripting steals token (e.g., via document.cookie). Amplified by poor logout - if server doesn't invalidate, stolen token works indefinitely.

Binding to Client (Usually Fails)

Embedding machine-specific data (IP, User-Agent) in the session ID seems appealing but has problems:

SID = IP

Bad: DHCP changes IP; user gets locked out of own session.

SID = User-Agent

Bad: User-Agent is easily stolen or guessed by attacker.

Best approach: unpredictable server-generated token. No reliable client binding.

07 //

Session Fixation

Attacker sets the user's session token, then tricks the user into logging in with that token. The attacker's token gets elevated to logged-in; attacker hijacks the session.

Session Fixation Attack (URL Tokens)
  1. 1
    Attacker gets anonymous session token from site.com
  2. 2
    Attacker sends URL to victim: https://site.com/login?SessionToken=attacker_token
  3. 3
    Victim clicks URL and logs in - attacker's token is elevated to logged-in
  4. 4
    Attacker uses elevated token to hijack victim's session

For cookie tokens: use XSS to set the cookie value before victim logs in.

Session Fixation: Lesson

When elevating user from anonymous to logged-in: always issue a new session token. After login, the token changes to a value unknown to the attacker. The attacker's original token is not elevated.

08 //

Summary

Session Management Takeaways
  • Assume adversarial client data - never trust cookie/session data from the client
  • Logout must invalidate on server - delete client token and mark expired server-side
  • Tokens spread across mechanisms - cookies, hidden fields, URL params; cookies alone are insecure (CSRF, overwrite)
  • Unpredictable tokens - use framework APIs; resist theft (HTTPS everywhere, no mixed content)
  • Issue new token on login - prevent session fixation

Further Reading

Secure Session Management With Cookies

Best practices for cookie-based session management.

Origin Cookies

Session integrity for web applications - binding sessions to origins.