24

What are some good practices for ensuring logins, session IDs and session content are secure for a website?

Rory Alsop
61.8k12 gold badges122 silver badges330 bronze badges
asked Nov 11, 2010 at 22:28
0

5 Answers 5

21
  • Use a database for sessions.
  • Regenerate the session on when the permissions change (e.g., when a user logs in).
  • Regenerate the session on every page load (optional).
  • Don't expose the session ID in the URL.
  • Don't expose any sensitive data to the session.
answered Nov 11, 2010 at 22:37
2
  • 1
    Only use the session through secure transport, otherwise someone could sniff the cookie and hijack the session. Commented May 13, 2011 at 2:00
  • Alternative to the Regenerate note on page load above, if the previous pages actions(urls) are invalidated then it is a good thing for certain cases. Commented May 13, 2011 at 2:04
9

In addition to VirtuosiMedia's list:

  • Use TLS (SSL) across the entire site. Use the HSTS header.
  • Use a session cookie, rather than adding a session token to every link-href and form-action.
  • Use the secure and httpOnly flags on the cookie.
  • Use the X-Frame-Options header.
  • Keep the content of the session minimal. E.g., store only the user-id. If caching is needed, cache in a general caching layer, not the session.
  • Cryptographically sign the session cookie with a secret key known only to the server. Include an expiration datetime in the signed data. Check the signature and the expiration at the server on every request.
answered Oct 10, 2011 at 11:36
2
  • 1
    "Cryptographically sign the session cookie with a secret key known only to the server." If the cookie contains only the session-id (the key in the database of sessions on the server), how it that helpful? Commented Jul 12, 2012 at 23:17
  • Firstly, is the session-id generated by a cryptgraphically-strong PRNG, and suitably long as to be unguessable and unforgeable? Secondly, it is more important for those who session data in cookies. Commented Jul 13, 2012 at 11:47
8

Expire your session after a reasonable amount of time... Delete the session out of whatever your using as a repository so it can't be re-used...

answered Nov 11, 2010 at 22:45
0
6

don't save password or other user information except user id to the session.

answered Nov 12, 2010 at 0:24
1
  • So don't use WinForms auth? ;) Commented Oct 10, 2011 at 18:33
6

Implement DNSSec to protect your HTTPS session from attacks over Wifi, or public networks including hardwired/switched.

Use HTTPS only for cookies that don't need Javascript access

Use the Secure attribute for all others cookies

Don't allow 3rd party javascript on your site

Similar to the above, don't serve advertisements on your site

answered Oct 4, 2011 at 17:07

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.