Is used to maintain a secure and consistent communication between a client and a server in a subsequent number of requests.
In HTTP is achieved by maintaining a mapping of session IDs to session state information on the server and by sending a cookie containing the session ID to the client when the session is first established.
- Packetlabs
Session hijacking is when the malicious party can impersonate the victim and perform actions from their account.
Session fixation happens if the properties of a session token allows an attacker to fixate the token of the user once authenticated.
It's important:
- Check for consistent user information throughout the session
- Don't reuses session tokens across all forms of access to the service
- Don't set cookies without proper validity periods.
Security:
- Set Secure/HttpOnly Flags on your Cookies
- Generate New Session Cookies
- Do not set Session Cookies for longer than 30 minutes
- It is also recommended that the scope of domains that are able to access the session cookie is limited and restrictive. This is controlled by the Domain and Path attributes.
Sources:
PacketLabs