1
00:00:00,840 --> 00:00:02,460
Session related issues.

2
00:00:03,510 --> 00:00:08,340
So cookies are used to implement session management for Web applications.

3
00:00:09,360 --> 00:00:15,150
In order to avoid attacks against session management, an application should have a good kookie policy

4
00:00:15,150 --> 00:00:20,310
because the session ID that identifies the user is carried in the cookie.

5
00:00:21,320 --> 00:00:24,770
That's why cookies are so very important to an application, my.

6
00:00:25,690 --> 00:00:32,890
So now let's talk about the session ID value that is transported in the cookies, the session ID represents

7
00:00:32,890 --> 00:00:39,880
the user, so after the user logs into the application, it is as important as a login data itself.

8
00:00:40,060 --> 00:00:50,050
Username and password session ID value should be unique, random, unpredictable, and long enough so

9
00:00:50,050 --> 00:00:56,410
these properties can make the session ID resistant to session analyzing and brute force attacks.

10
00:00:57,190 --> 00:01:00,910
But often, very often this is not enough for protection.

11
00:01:01,630 --> 00:01:07,280
The application should transport the session value in a safe way, such as https.

12
00:01:08,050 --> 00:01:14,530
So now we have a session I'd value that is transported safely and it's strong against attacks.

13
00:01:15,160 --> 00:01:20,880
But the last thing is that a session ID should also have a lifetime.

14
00:01:21,640 --> 00:01:23,380
I mean, this is absolutely true.

15
00:01:23,830 --> 00:01:28,360
Assessing value should be created and live until a certain time.

16
00:01:28,900 --> 00:01:32,560
That's why the session ID should have an expiration date.

17
00:01:33,280 --> 00:01:39,520
So in general, for a session ID values, if the expiry date is not set, the season well lasts until

18
00:01:39,520 --> 00:01:47,410
the browser is closed and if it's directly set in the session, ID will be stored in the browser until

19
00:01:47,410 --> 00:01:48,690
the expiry date.

20
00:01:49,450 --> 00:01:55,120
So spend testers, we should check all of these properties and then report all of those findings about

21
00:01:55,120 --> 00:01:57,730
the insecure session ID values.