What is a Session?
A user session is a sequence of requests from the same client and associated responses during a specific time period. Modern web applications need sessions to track user information, access rights, and settings while users interact with an application.
HTTP is stateless, meaning each request must carry all needed information for the server to act upon it. Web applications use cookies, URL parameters, and body arguments for session tracking.
Session Identifier Security
A unique session identifier (Session ID) is the basis for generating and distinguishing user sessions. If an attacker obtains a session ID, they can hijack the session and impersonate the victim.
Attackers can obtain session IDs through:
- Passive traffic/packet sniffing
- Logs
- Prediction
- Brute forcing
Security Factors:
Validity Scope - Should be valid for one session only Randomness - Must be generated through robust random algorithms Validity Time - Should expire after a certain time
Storage Locations:
- URL - Can leak via HTTP Referer header; stored in browser history
- HTML - Can be found in browser cache and intermediate proxies
- sessionStorage - Cleared when tab/browser closes; survives page reloads
- localStorage - Persists until deleted by user; not cleared when browser closes (except incognito)
Session Attacks
- Session Hijacking - Attacker obtains session IDs and uses them to impersonate the victim
- Session Fixation - Attacker fixates a valid session ID and tricks victim into using it
- XSS (Cross-Site Scripting) - With focus on user sessions
- CSRF (Cross-Site Request Forgery) - Forces authenticated users to execute unintended actions
- Open Redirects - Abuses redirection functionality to redirect victims to attacker-controlled sites