Session management
Session management is at the core of any web-based application. It defines how the application maintains state and thereby controls user-interaction with the site. Session is initiated when a user initially connects to the site and is expected to end upon user disconnection. Since HTTP is a stateless protocol, the session needs to be handled explicitly by the application. A unique identifier such as a session ID or a cookie is normally used for tracking user sessions.
Cookie checks
As a cookie is an important object for storing the user's session information, it must be configured securely. The following image shows a sample cookie with its attributes:
In the preceding image, the last three parameters are important from the security perspective. The Expires
parameter is set to At end of session
, which implies the cookie is not persistent and will be destroyed once the user logs out. The Secure
flag is set to No
, which is a risk. The site should implement HTTPS and then enable...