InfoSec Notes
Best practices for secure session management including token generation, cookie attributes, fixation prevention, and timeout strategies.
Overview
Session management maintains user state across stateless HTTP requests. Insecure session handling is one of the most common web vulnerabilities, enabling attackers to impersonate legitimate users.
Session Lifecycle
Secure Cookie Configuration
from flask import Flask, session
import secrets
app = Flask(__name__)
app.config.update(
SECRET_KEY=secrets.token_hex(32),
SESSION_COOKIE_NAME='__Host-session', # Host prefix
SESSION_COOKIE_SECURE=True, # HTTPS only
SESSION_COOKIE_HTTPONLY=True, # No JS access
SESSION_COOKIE_SAMESITE='Lax', # CSRF protection
SESSION_COOKIE_PATH='/', # Scoped to path
PERMANENT_SESSION_LIFETIME=1800, # 30 min idle timeout
)
# Cookie attributes explained:
# Secure: Only sent over HTTPS (prevents network sniffing)
# HttpOnly: JavaScript cannot access (prevents XSS theft)
# SameSite=Lax: Not sent in cross-site POST (prevents CSRF)
# __Host- prefix: Forces Secure, no Domain, Path=/ (strictest)Session Attacks and Prevention
| Attack | Description | Prevention |
|---|---|---|
| Session Hijacking | Steal session token (XSS, sniffing) | HttpOnly, Secure flags, HTTPS |
| Session Fixation | Force victim to use attacker's session ID | Regenerate ID on login |
| Session Prediction | Guess valid session IDs | CSPRNG, 128+ bit IDs |
| Cross-Site Cookie Manipulation | Override cookie from related subdomain | __Host- prefix, SameSite |
Interview Questions
- What is session fixation and how do you prevent it?
- Session fixation: attacker sets a known session ID in victim's browser (via URL, XSS, or meta tag), then waits for victim to authenticate. The session is now authenticated with an ID the attacker knows. Prevention: always regenerate the session ID immediately after successful login.
- Why should session IDs be regenerated after login?
- To prevent session fixation attacks. Before login, the session ID might be known to an attacker. Regenerating it after authentication ensures the authenticated session uses a fresh, unpredictable ID that only the legitimate user possesses.
- What is the difference between idle timeout and absolute timeout?
- Idle timeout expires sessions after a period of inactivity (protects unattended browsers). Absolute timeout expires sessions after a maximum total duration regardless of activity (limits the window for stolen token usage). Both should be implemented.
- How does the __Host- cookie prefix enhance security?
- The __Host- prefix forces: Secure flag (HTTPS only), no Domain attribute (exact host only, no subdomains), and Path=/ (full site scope). This prevents cookie injection from subdomains and ensures the cookie can only be set by the secure site itself.
- How would you handle session management in a microservices architecture?
- Options: centralized session store (Redis) shared by all services, JWT tokens (stateless but harder to revoke), API gateway that validates sessions and adds user context to internal requests, or each service validates tokens against an auth service. Trade-offs between statefulness and revocability.
Exam Focus
Revise definitions, diagrams, examples, and short-answer points for Session Management Security.
Interview Use
Prepare one clear explanation, one practical example, and one common mistake for this Information Security topic.
Search Terms
information-security, information security, information, security, web, session, management, session management security
Related Information Security Topics