Secure Session Management |
Fariha Nazmul
|
| Abstract | The stateless behavior of HTTP requires web application developers to use separate stateful or stateless mechanisms with HTTP for maintaining state and user speci�fic session information. The task of maintaining user based state information in a logical connection between the server and the user device is known as session. Web session management is a method that allows the web server to exchange state information to recognize and track every user connection.
A critical issue in web security is the ability to bind user authentication and access control to unique sessions. Vulnerabilities in the session management process can cause serious damage since the sessions generally maintain important and sensitive data of the web based systems.
The aim of this Master thesis is to concentrate on the security of session management in a single server environment. The thesis focuses on analyzing the important aspects of a secure session management mechanism that are the ability to bind an incoming request to the session it belongs to, to determine where and how the session state can be stored and to fi�nd out measures to protect the session handling mechanisms from security attacks. In addition, this thesis shows the basic steps of implementing a session with PHP and discusses the implications of manipulating some of the session management con�figuration options on the security level of the application. Furthermore, the focus of this thesis is to study the best practices available for secure session management and to put forward a standard way of maintaining a secure session in single server system. |
| Type | Master's thesis [Academic thesis] |
| Year | 2011 |
| Publisher | Technical University of Denmark, DTU Informatics, E-mail: reception@imm.dtu.dk |
| Address | Asmussens Alle, Building 305, DK-2800 Kgs. Lyngby, Denmark |
| Series | IMM-M.Sc.-2011-45 |
| Note | Supervised by Associate Christian Probst, probst@imm.dtu.dk, DTU Informatics |
| Electronic version(s) | [pdf] |
| Publication link | http://www.imm.dtu.dk/English.aspx |
| BibTeX data | [bibtex] |
| IMM Group(s) | Computer Science & Engineering |