24

What are some good practices for ensuring logins, session IDs and session content are secure for a website?

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
James T
  • 1,883
  • 1
  • 17
  • 26

5 Answers5

21
  • Use a database for sessions.
  • Regenerate the session on when the permissions change (e.g., when a user logs in).
  • Regenerate the session on every page load (optional).
  • Don't expose the session ID in the URL.
  • Don't expose any sensitive data to the session.
VirtuosiMedia
  • 3,232
  • 3
  • 27
  • 32
  • 1
    Only use the session through secure transport, otherwise someone could sniff the cookie and hijack the session. – Andrew Russell May 13 '11 at 02:00
  • Alternative to the Regenerate note on page load above, if the previous pages actions(urls) are invalidated then it is a good thing for certain cases. – Andrew Russell May 13 '11 at 02:04
9

In addition to VirtuosiMedia's list:

  • Use TLS (SSL) across the entire site. Use the HSTS header.
  • Use a session cookie, rather than adding a session token to every link-href and form-action.
  • Use the secure and httpOnly flags on the cookie.
  • Use the X-Frame-Options header.
  • Keep the content of the session minimal. E.g., store only the user-id. If caching is needed, cache in a general caching layer, not the session.
  • Cryptographically sign the session cookie with a secret key known only to the server. Include an expiration datetime in the signed data. Check the signature and the expiration at the server on every request.
yfeldblum
  • 2,817
  • 21
  • 13
  • 1
    "_Cryptographically sign the session cookie with a secret key known only to the server._" If the cookie contains only the session-id (the key in the database of sessions on the server), how it that helpful? – curiousguy Jul 12 '12 at 23:17
  • Firstly, is the session-id generated by a cryptgraphically-strong PRNG, and suitably long as to be unguessable and unforgeable? Secondly, it is more important for those who session data in cookies. – yfeldblum Jul 13 '12 at 11:47
8

Expire your session after a reasonable amount of time... Delete the session out of whatever your using as a repository so it can't be re-used...

Gary
  • 217
  • 2
  • 5
6

don't save password or other user information except user id to the session.

Mohamed
  • 1,404
  • 1
  • 11
  • 14
6

Implement DNSSec to protect your HTTPS session from attacks over Wifi, or public networks including hardwired/switched.

Use HTTPS only for cookies that don't need Javascript access

Use the Secure attribute for all others cookies

Don't allow 3rd party javascript on your site

Similar to the above, don't serve advertisements on your site

makerofthings7
  • 50,488
  • 54
  • 253
  • 542