What is a Session Identifier?

About

A session identifier is a nonce that represents uniquely a session.

Instead of storing session information (such as username, login, start time, …) directly, the server creates a nonce and sends it a session identifier. 1) When the server receives back another request with the session identifier, the server can look up the state information associated (in a database, in memory, or in a file).

Usage

Storage

In an HTTP context, the sessions are called:

Length

The session ID length must be at least 128 bits (16 bytes). More info: Session_Management_Cheat_Sheet

Security Considerations

Using session identifiers is not without risk. The server should take care to avoid session fixation vulnerabilities.

You should:

More, see the owasp Session Management Cheat Sheet

Validation

  • Referrer is known
if (strpos($_SERVER['HTTP_REFERER'], 'http://vulnerable.example.com/') !== 0) {
    session_destroy(); // Destroy all data in session
}
session_regenerate_id(); // Generate a new session identifier
if ($_SERVER['REMOTE_ADDR'] != $_SESSION['PREV_REMOTEADDR']) {
    session_destroy(); // Destroy all data in session
    $_SESSION['PREV_REMOTEADDR'] = $_SERVER['REMOTE_ADDR'];
}
if ($_SERVER['HTTP_USER_AGENT'] != $_SESSION['PREV_USERAGENT']) {
    session_destroy(); // Destroy all data in session
    $_SESSION['PREV_USERAGENT'] = $_SERVER['HTTP_USER_AGENT'];
}
session_regenerate_id(); // Generate a new session identifier
  • Destroy on logout
if (isset($_GET['LOGOUT']) {
    session_destroy();
}

Session data without Session Identifier

This section is more a tip or another way to store session data than without any session identifier.

If you don't want to manage an external store (such as a database) to store your session data, you may also store your session data directly encrypted in a cookie

  • or JWE (JWT public information encrypted)





Discover More
Session Fixation

A session fixation attack proceeds in three steps. First, the attacker transplants a session identifier from his or her user agent to the victim's user agent. Second, the victim uses that session...
Netstat Windows
TCP - Socket (Endpoint)

A socket in the context of TCP. A TCP socket is a session identifier for each TCP connection and is the combination of: a local address: source host address, source port, a remote address...
Web Security - Session Identifier Cookie

A session cookie stores a session identifier in a cookie. HTTP servers commonly store the session identifier in a cookie. Using session identifier cookies limits the damage an attacker can cause if...
What is a Session? (authentication, tracking)

A session is used in authentication in order to store the identification data. After a user has been authenticated, the identification (the user name generally) is stored in the session and other requests...
Map Of Internet 1973
What is a socket? known also endpoint

A socket is a session identifier for a connection between 2 processes via a particular protocol. It's also known as a IPC socket. List of sockets and their transport protocols: netsocket: The net...
What is an access token?

A token is a authentication material An access token is a token (string) representing an access authorization. It is equivalent to a session identifier in format. It's a token that serves as delegation-specific...



Share this page:
Follow us:
Task Runner