Session management involves managing requests between a user and web-based app or service. Learn about best practices of session management and the attacks associated with it.
Communication between a web browser and the server of the website or web app is usually done over HTTP or HTTPs. As HTTP is a stateless protocol, each request or response sent via HTTP traffic is not associated with each other or, in other words, is independent of other processes. There’s no way for the server to know whether these actions are made by the same users or not if everything is communicated this way. This is where session comes in.
A session is series of actions made by a user or entity within a given time frame. The sever uses session to keep track of what a user has done and session management is therefore used to ensure secure interactions between the users and the website or web application.
In this article, we'll explore the challenges of session management and provide best practices for keeping your website or application secure. This will empower you to manage sessions confidently and secure your website or application.
Session management refers to handling multiple requests and responses from a user or entity on a website or web application. Throughout these interactions, information of the user will be passed between the server and the browser, kept by the browser, and even processed. It is therefore critical for the web app to properly secure and manage sessions, especially within authenticated sessions, in order to prevent broken authentication. Before we get into the attacks associated with session management and some best practices, let’s define a few terms first.
A session ID, or session token, is a unique identifier, in the form of randomly generated string, used to identify a user's session on a website or application. The server creates a session ID when a user logs in to a website or app and destroy it when the session is terminated.
There are a few different ways to generate session ID, but it is recommended by OWASP to use a good Cryptographically Secure Pseudorandom Number Generator (CSPRNG) to create session IDs. This ensures that each cookie is unique and thus can withstand guessing attacks.
The session ID remains the same for a certain period of time and a new one is generated if a user closes the browser and reopens the web browser to visit the site. Session ID binds the user session to the user HTTP traffic and the appropriate access controls imposed by the website or app.
If an attacker were to obtain a user's session ID, they would be able to impersonate the user and gain access to their account. For that reason, session IDs should not be disclosed to the general public and are only ever transferred in secured means.
To securely exchange session ID, cookies are usually used to contain the session ID since they have some attributes that can protect exchange of session ID.
Session cookies can store a range of information and session ID is one of them. Cookies are small pieces of data sent from a website to a user's web browser and stored on the user's devices. When the user re-accesses the website, their browser sends the cookie back to the server. This allows the server to identify the user and track their activity on the site.
Session hijacking attacks involve an attacker attempting to get the session ID of the victim after the user logs in. Afterwards, the attacker can then impersonate the user and perform actions on their behalf using the obtained session ID.
Session fixation attack, sometimes confused with session hijacking, essentially exploits the flaws of authentication and session management of web app and “fixes” an established session on the user’s browser. To do this, the hacker tricks the victim into using an identifier that the hacker already knows instead of stealing new identifiers. Afterwards, the hacker can then impersonate the user.
There are a few properties of session ID that has to be properly configured in order to prevent attacks related to session management. For instance, the length of the session ID should be at least 128 bits (note that this is provided as a reference instead of an absolute minimum value) and session ID has to be unpredictable to protect users from guessing attacks.
Moreover, the session ID shouldn’t be descriptive or its content should be meaningless so that any relevant information will not be disclosed when an attack manages to decode the content of the ID.
We previously mentioned that cookies have some attributes that help protect session ID exchange. Here are a few of them.
Secure: This attribute tells the browser only to send cookies over HTTPS connections, which are encrypted as opposed to HTTP.
HttpOnly: This attribute tells the browser not to allow JavaScript access to the cookie. This helps to prevent malicious scripts from stealing cookies.
SameSite: The SamSite have different values to specify whether cross-site requests should send cookies. Possible values include 'Strict', 'Lax', and 'None'. Cookie settings can be strict or lax. Strict cookies are only sent with same-site requests; lax cookies are sent with both cross-site and same-site requests; the request will be sent with all requests if left at none.
Expires / Max-Age: When a cookie has the Max-Age or Expires attributes, the cookie will be considered “persistent” and will be stored by the browser until the expiration time specified by the attributes.
Session ID shouldn’t remain the same throughout the entire session. It should be renewed or regenerated whenever a user’s privilege level changes. For example, when a user visits a website, it will get a session ID. Once the user logs into the account, the privilege level will change and the session ID should be regenerated. Other scenarios where session ID should be changed include password changes and permission changes.
When your users authenticate with Authgear, Authgear will take care of generating and properly configuring the cookies to ensure secure authentication. The subsequent requests sent from the browser to your app server will now include the session cookie. To verify the session, forward the requests to the Authgear Resolver Endpoint.
Request Example
A lot can go wrong when implementing session management and data breaches result in businesses losing more than half of their users and facing significant financial loss.
Let Authgear secure session management and the overall security of your apps. Authgear not only follows cybersecurity best practices to ensure that your users’ personal data is well-protected but also provides various authentication and user management features, including biometric authentication, social login, passkeys, WhatsApp OTP, and more, to make sure that you can deliver a secure yet frictionless digital experience to your users.
Sign up for a free trial or contact us to see how your app can benefit from integrating with Authgear.
Privacy is important to us, so you have the option of disabling certain types of storage that may not be necessary for the basic functioning of the website. Blocking categories may impact your experience on the website.
