The results and conclusions obtained from dozens of web application penetration tests completed during the last few years confirm that session management is still today one of those web application critical components prone to suffer multiple and critical vulnerabilities.
Session management is a core and very complex module in modern web application architectures, and has to integrate smoothly and securely with other critical components, such as the authentication and access control modules:
Sessions, represented by a session ID or token, bind the user authentication credentials to the user HTTP traffic and the appropriate access controls enforced by the web application. The stateless nature of the HTTP protocol, the complexity of these three components (authentication, session management, and access control) in modern web applications, plus the fact that its implementation and binding resides on the web developer’s hands (as web development framework do not provide strict relationships between these modules), makes the implementation of a secure session management module very challenging.
Unfortunately most people put the focus on the top two or three risks or vulnerabilities, injection (being SQL injection the top one), Cross-Site Scripting (XSS) and (if lucky) Cross-Site Request Forgery (CSRF), but the OWASP Top 10 already reflected the importance of session management flaws on its 2007 version (7th position - A7), and highlighted this fact even more in the 2010 version, raising authentication and session management risks ("A3: Broken Authentication and Session Management") to the 3rd position.
Although the emphasis goes to authentication, due to all the weaknesses of the current authentication mechanisms (mainly based on username and password), session management tends to suffer serious vulnerabilities even for the most secure web applications. Do not forget that, once an authenticated session has been established, the session ID (or token) is temporarily equivalent to the strongest authentication method used by the web application, such as username and password, passphrase, one-time password (OTP), client-based digital certificate, smartcard, or biometrics (such as fingerprint or eye retina).
For all these reasons, the OWASP Session Management Cheat Sheet has been released, with the goal of providing guidance and best practices to web application architects, developers, and information security professionals when building or auditing the session management module of web applications.
The whitepaper with the original content that has inspired and has been used for the creation of the first version of this OWASP cheatsheet is available in PDF format for easy download, distribution, and usage at Taddong's lab.
I encourage anyone involved in web application security to provide comments, feedback, and improvements to the OWASP Session Management Cheat Sheet, for the benefit of the whole web application community.