Session management is implemented within existing application frameworks and not developed for any specific application. Users are considered unauthenticated until the application has taken positive action to tie a session with an authentication token.
Session based authentication is validated on each submission or request. Cookies set during an SSL session have the “secure” flag set. All cookies have the domain component set to the domain associated with the publicly addressable IP of the application or web server. Non-persistent cookies are only be used to identify a client session. Cookies contain the minimum amount of information to implement functionality. Cookies contain a large enough random component to ensure uniqueness. Cookies are encrypted or hashed. Session tokens are cryptographically unique, non-sequential, and non-predictable. Session tokens are resistant to reverse engineering. Session tokens are not based on personal information. A session token’s unique key space is large enough to prevent brute force attacks or enumeration. Session tokens are renegotiated after a configurable length of time. Brute force attempts at session tokens generate a security event in application assessment logs. Sessions are torn down effectively with log out functionality. Applications are able to manage normal and abnormal session termination.