Web Session Management : Requisites and Best Practices

Web Session comprises of the sequence of HTTP requests and responses bounded to a user using a resource over a fixed timestamp. It can be described as storage of information by the server that persists over user interactions with the web application. 
 
HTTP was designed to transfer documents and is not an application transport protocol. It is a stateless protocol as it does not store any record of its previous interaction. Each interaction is independent of any other web interactions and is based on the information contained in the HTTP Headers. In persistent HTTP connection socket is left open using Alive parameters as "Connection: keep-alive" for the longer duration but still have timeout value so as not to overload server. Multiple requests are pipeline where each request is independent of each other. The higher the timeout, the more server processes will be kept occupied waiting on connections with idle clients. Even if the socket is kept open, HTTP is stateless as it doesn't store anything. Moreover, both documents and applications are text based but the application requires maintenance of state through some way. 
 
Present day advanced web applications demand preserving the status of users over the duration of multiple requests. They desire a technique to identify ever user connection. HTTP is stateless, so it seems obvious that HTTP would not be appropriate for delivering applications. Additionally, sessions are coupled with connections, but they work at different OSI layer and have different timeout values. For the Apache the default value for which session remains in memory is 300 seconds, also connection will be closed once its idle for 60 seconds. Connection timeout can't be increased as it will possible exhaust TCP connection limit, will affect memory as well. The difficulty lies in binding Session and Connection.  Moreover, Sessions will remain in the memory of server even after its associated connection has been terminated due to inactivity. Implanting cookies on clients system will enable the application to find the session on the server. Through the exchange of session IDs, the state can be maintained even for a stateless protocol like HTTP.
 
With the use of sessions and cookies, HTTP was given the means by which state could be tracked throughout the use of an application.
 
Thereafter session management is required to establish a link connecting authentication and access control. While the server stores session information, Session ID is used to identify a session and is mostly stored in the cookie on client system formed at the time of session creation. Once the user has been authenticated the application can make use of sessions. Web application creates the session in order to keep track of users, identify users on successive request, authorizing user on the different domain, applying access control mechanism, accounting and tracking user’s activity moreover to increase the usability of the application. After successful authentication and establishment of the web session, Session ID or token is used as a method for authenticating further requests for the current session. Session Id or token binds the user HTTP traffic to its permissible access rights. HTTP uses various mechanisms to maintain session state for web applications such as cookies, URL rewriting,  URL arguments on Getting requests, body arguments on POST requests.
Session ID length must be long enough, combining random number so as to avoid its attacks like replay, brute force. Even if it is decoded it should not reveal any personally identifiable information like password, secret information etc. Moreover its name should not reveal information about its purpose it serves. The disclosure, capture, guessing, prediction, brute force, or fixation of the session ID will lead to session hijacking attacks, where an attacker can completely imitate a victim user in the web application. The intruder can conduct either targeted attack on a specific user or generic attack impersonating any legitimate user. 
 
Web development frameworks, such as J2EE, ASP.NET, PHP, and others provide their own session management features. However they contain inherent vulnerabilities and weaknesses, so it is always recommended to use the latest available version available, that has possibly fixed all the well-known vulnerabilities.
 

Conclusion

Session Management is a link connecting authentication and access control. Many modern day networking devices provides an ability to control, directly manipulate and manage any IP application traffic. Furthermore encrypting, digitally signing and implanting browser cookies by manipulating HTTP traffic.
 
Authored By - Shefali Singh
TCS Enterprise Security and Risk Management
Rate this article: 
Average: 3.6 (10 votes)
Article category: