Evaluation of Web Application Session Security

摘要

Sessions variables are widely used in web applications, almost in every web application. It has been used to keep the state of logged in or authenticated users mainly, and to monitor the number of users currently using the web application. It has other useful usage as a security feature to logout the user automatically from the web application after the session timer expires. Due to the criticality of the information the sessions holds, it is important to evaluate its security. In this paper, some types of attacks on the sessions will be listed, different ways of storing sessions on the client, and the best utilization of the sessions. The outcome of this paper is whether to recommend using session variables or not, when to be used, and for what purpose it should or shouldn't be used.