Weak Session Management Detected

high Web App Scanning Plugin ID 112794

Language:

Synopsis

Description

A web session is a set of HTTP transactions issued by a user within a given time frame. Web applications use sessions to retain information about each user, keep track of their activity or define proper access rights and permissions. Each session has an identifier (token or ID) defined by the application to bind users to their HTTP traffic, being temporarily equivalent to the strongest authentication method used by the application for authenticated sessions.

By targeting the session management mechanism, attackers can hijack other users sessions to impersonate these users and use their privileges in the application or access sensitive information.

Solution

Web applications must enforce a strong session management to avoid session forgery, predictability or reuse. The session ID must be long enough (at least 128 bits) to prevent bruteforce attacks to determine valid sessions. It must be uniq in the current session context of the application, and its entropy has to be random enough (at least 64 bits) to avoid guessing attacks or statistical analysis. Finally, sessions must have a limited lifetime and their IDs must be invalidated after a logout, an idle time or an absolute timeout.