Session Management

Session management maintains user context in stateless HTTP protocol.

Session mechanisms

• Cookies: Most common, sent automatically with requests.
• Tokens: JWT, OAuth tokens in headers or cookies.
• URL parameters: Legacy, insecure (session ID in URL).
• Hidden form fields: Single-page session tracking.

Session lifecycle

1. Creation: User authenticates, server generates session ID.
2. Storage: Session data stored server-side (Redis, database).
3. Transmission: Session ID sent to client (cookie/token).
4. Validation: Server verifies session ID on each request.
5. Renewal: Extend session on activity (sliding expiration).
6. Termination: Explicit logout or timeout expiration.

Security best practices

• Random session IDs: Use cryptographically secure random generation.
• ID length: Minimum 128 bits to prevent brute force.
• HTTPS only: Secure flag prevents transmission over HTTP.
• HttpOnly flag: Prevents JavaScript access (XSS protection).
• SameSite attribute: CSRF protection.
• Session timeout: Idle timeout (15-30 min) and absolute timeout (24 hours).
• Regenerate ID: New session ID after login (prevent fixation).
• Logout functionality: Clear session data completely.
• Concurrent session limits: Prevent account sharing.

Common vulnerabilities

• Session fixation: Attacker sets victim's session ID before authentication.
• Session hijacking: Attacker steals session ID via XSS, MITM, or sniffing.
• Session prediction: Weak session ID generation enables guessing.
• Insufficient timeout: Long-lived sessions increase exposure window.
• No logout function: Users can't terminate sessions.
• Missing regeneration: Same session ID pre/post authentication.

Storage options

• Server-side sessions: Data stored on server, only ID sent to client.
  • More secure, full control over data.
  • Requires session storage (Redis, database).
• Client-side sessions: Entire session in JWT or encrypted cookie.
  • Stateless, scalable (no server storage).
  • Harder to invalidate, size limitations.

Session vs Token authentication

• Sessions: Server stores state, cookie contains session ID.
• Tokens (JWT): Client stores state, server validates signature.
• Hybrid: Token stored in cookie with HttpOnly/Secure flags.

Monitoring and logging

• Log session creation, renewal, and termination.
• Track concurrent sessions per user.
• Alert on anomalies (geo-location changes, simultaneous logins).
• Session replay protection (prevent reuse after logout).