Session Management

• Establish How Session Management is Handled in the Application

  • Determine how the application manages sessions, such as whether it uses tokens stored in cookies, tokens included in URLs, or another method.

• Check Session Tokens for Cookie Flags

  • Verify that session cookies have appropriate flags set, specifically httpOnly and secure, to enhance security.

• Check Session Cookie Scope

  • Assess the path and domain attributes of the session cookie to ensure they are set correctly to limit access.

• Check Session Cookie Duration

  • Review the expires and max-age attributes of session cookies to ensure they are configured to expire appropriately.

• Check Session Termination After a Maximum Lifetime

  • Test if the application terminates sessions after reaching a specified maximum lifetime, enhancing security.

• Check Session Termination After Relative Timeout

  • Evaluate whether sessions are terminated after a period of inactivity, enforcing relative timeout policies.

• Check Session Termination After Logout

  • Confirm that sessions are properly terminated when a user logs out of the application to prevent unauthorized access.

• Test to See if Users Can Have Multiple Simultaneous Sessions

  • Investigate if the application allows users to maintain multiple active sessions simultaneously and how it handles them.

• Test Session Cookies for Randomness

  • Ensure that session tokens or cookies are generated randomly and are not predictable to prevent session fixation attacks.

• Confirm that New Session Tokens are Issued on Login, Role Change, and Logout

  • Verify that the application issues new session tokens whenever a user logs in, changes their role, or logs out, to ensure session integrity.

• Test for Consistent Session Management Across Applications with Shared Session Management

  • Evaluate the consistency of session management mechanisms across applications that utilize shared session management.

• Test for Session Puzzling

  • Assess the application for vulnerabilities related to session puzzling, where session identifiers are improperly managed or combined.

• Test for CSRF and Clickjacking

  • Perform tests to identify Cross-Site Request Forgery (CSRF) vulnerabilities and clickjacking issues in the application.