Merge pull request #227 from OWASP/Shruti-s-kulkarni-patch-2

Update Session Management

Author: Shruti-s-kulkarni

draft/14-appendices/01-implementation-dos-donts/Session Management

@@ -1 +1,40 @@
+title	layout	tags	contributors	document	order	permalink
+File Management
+col-document
+OWASP Developer Guide
+Shruti Kulkarni
+OWASP Developer Guide
+747
+/draft/appendices/implementation_dos_donts/Session Management/
+{% include breadcrumb.html %}
+
+Session Management
+Here is a collection of Do's and Don'ts when it comes to session management, gathered from practical experiences.
+
+Creation of session
+Session identifier creation must always be done on a trusted system (e.g., The server)
+
+Creation of session
+If a session was established before login, close that session and establish a new session after a successful login
+
+Creation of session
+Generate a new session identifier on any re-authentication
+
+Random number generation
+Session management controls should use well vetted algorithms that ensure sufficiently random session identifiers. Rely on CSPRNG rather than PRNG for random number generation
+
+Domain and path
+Set the domain and path for cookies containing authenticated session identifiers to an appropriately restricted value for the site
+
+Logout
+Logout functionality should fully terminate the associated session or connection
+
+Session timeout
+Establish a session inactivity timeout that is as short as possible, based on balancing risk and business functional requirements. In most cases it should be no more than several hours
+
+Session ID
+Do not expose session identifiers in URLs, error messages or logs. Session identifiers should only be located in the HTTP cookie header. For example, do not pass session identifiers as GET parameters
+
+Session ID
+Supplement standard session management for sensitive server-side operations, like account management, by utilising per-session strong random tokens or parameters. This method can be used to prevent Cross Site Request Forgery attacks