Web applications often use session tokens to track user sessions and maintain state. With each request, these tokens are passed between the client and server, allowing the server to identify the user session. While session tokens are useful, their management and expiration policies are critical for application security.
Session Expiration Not Enough
Many web applications set session expiration policies based simply on inactivity timeouts. For example, if there is no activity in the user session for 15 minutes, the session is terminated. However, inactivity timeouts alone are not sufficient for secure session management.
The National Institute of Standards and Technology (NIST) provides guidelines that session tokens should expire after an absolute timeout, regardless of activity. This ensures that an attacker cannot indefinitely prolong a hijacked session. The Open Web Application Security Project (OWASP) similarly recommends absolute timeouts no longer than the business-required timeframe, typically 30 minutes for high-security applications.
Relying only on inactivity timeouts means a hijacked but active session could persist indefinitely. Attackers could proactively refresh the session to prevent inactivity timeouts. Additionally, users may walk away from an active session which could then be hijacked. Absolute timeouts mitigate these risks.
Session Hijacking Attacks
Attackers often target session tokens to hijack user sessions and assume their identities. Common attacks and their prevention include:
- Session prediction - Some session tokens are generated using weak algorithms and can be predicted by the attacker. Strong session id generation is critical.
- Man-in-the-middle - The attacker intercepts traffic between client and server to steal the session token. Sensitive traffic should always be encrypted via HTTPS.
- Cross-site scripting (XSS) - An attacker injects malicious scripts into the page to steal the session token. The token can then be used to impersonate the user.
- Session side jacking - On public WiFi networks, the attacker monitors traffic to steal session tokens from the wire. Network traffic should be secured and encrypted.
- Brute force - An attacker performs automated guessing on session tokens to find valid ones. Long complex session tokens can mitigate this.
Securing Session Tokens
Companies should implement security best practices around session management:
- Enforce absolute session expiration timeouts consistent with business needs and no longer than 5 minutes of inactivity for sensitive applications.
- Generate strong session tokens with high entropy at least 128 bits long. Avoid tokens that are guessable or predictable.
- Use HTTPS encryption for all sites handling sensitive data or transactions. Encrypt network traffic end-to-end.
- Implement additional session security controls like binding tokens to client IP addresses and/or browser fingerprints.
- Follow secure coding practices around session management in application development.
Properly managing web session tokens is critical for mitigating session hijacking, maintaining state securely, and protecting user identities and data. Combining short absolute expiration timeouts, strong session ids, encryption, and other controls provides defense-in-depth for this critical component of web security.