Web applications are those that are accessed using web browsers like Firefox or Internet Explorer. The protocol used by web applications is called Hyper Text Transfer Protocol (HTTP). The secure version of this protocol is HTTPS. <\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
These protocols are stateless. For eg. When you fill in your username and password on gmail, the data you enter is sent to login program on the gmail server. The login program checks whether you sent valid credentials and either shows you your inbox or tells you that data you entered was invalid. This request-response set is one \u2018transaction\u2019 in HTTP. <\/p>\n
<\/p>\n
If you now click on any link in the inbox, the request sent to the gmail server is a \u2018fresh\u2019 one, at the level of HTTP, with no connection to any previous requests that you sent to gmail. So, web applications have to handle the aspect of a \u2018session\u2019 on their own. <\/p>\n
<\/p>\n
Typically, when a user authenticates himself to a web application, the web application provides the user with a token. The server also makes note of the fact that token A was given to user Ram. Any request that Ram now makes is accompanied by the token A. The server also expects any request from Ram to be accompanied by the token A. When Ram logs out, the server destroys the token. <\/p>\n
<\/p>\n
This is the essence of session management in web applications.<\/p>\n
<\/p>\n
Secure web applications should satisfy the following criteria:<\/p>\n
<\/p>\n
– Session tokens should be large enough and random enough.
\n– During authentication a new session token should be provided to the user.
\n– When the server receives a request for a page within an authenticated area, it should always check for the presence of an appropriate session token.
\n– During logout, the session token should be destroyed on the client side.
\n– Session tokens should not be reused by web applications.
\n– Based on the criticality of the web application, session time out may be implemented.<\/p>\n
<\/p>\n
<\/p>\n
Some common attacks related to session management:<\/p>\n
<\/p>\n
–\tAuthentication bypass: When there is a request for a page within a restricted area that is not accompanied by an appropriate authenticated session token and the web application serves the page to the client, an authentication bypass can happen.
\n–\tSession Fixation: When the same session token is used before and after authentication, a session fixation attack can occur
\n–\tImproper logout: When the logout program does not destroy the session token, pages within a restricted area can be viewed an unauthorized user.
\n–\tCross Site Request Forgery: This is a slightly complicated kind of attack which requires the user to be logged in during the attack.<\/p>\n","protected":false},"excerpt":{"rendered":"
Web applications are those that are accessed using web browsers like Firefox or Internet Explorer. The protocol used by web applications is called Hyper Text Transfer Protocol (HTTP). The secure version of this protocol is HTTPS. <\/p>\n","protected":false},"author":6,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[12],"tags":[54],"class_list":["post-504","post","type-post","status-publish","format-standard","hentry","category-itsec","tag-web-application-security"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9AH7Q-88","_links":{"self":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts\/504","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/comments?post=504"}],"version-history":[{"count":0,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts\/504\/revisions"}],"wp:attachment":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/media?parent=504"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/categories?post=504"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/tags?post=504"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}