The session management mechanism is a major security element in the majority of web applications. It is what allows the application to uniquely recognize a given user across a number of various requests and to handle the data that it accumulates about the state of that user’s interaction with the application. Where an application implements login functionality, session management is of particular importance, because it is what allows the application to persist its assurance of any given user’s identity beyond the request in which he provides his credentials.
Because of the important role played by session management mechanisms, they are a top target for malicious attacks against the application. If a hacker can break an application’s session management, he can completely bypass its authentication controls and pretend as other application users without knowing their credentials. If an attacker compromises an administrative user in this way, the attacker can own the whole application.
As with authentication mechanisms, many types of defects can commonly be found in session management functions. In the most vulnerable cases, an attacker simply needs to increment the value of a token assigned to him by the application to switch his session to a different user. In this condition, the application is wide open for anyone to access all areas. An attacker may have to work very hard, deciphering several layers of obfuscation and devising a complex automated attack, before finding a flaw in the web application.
