- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
Session management is the rule set that governs interactions between a web-based application and users. Browsers and websites use HTTP to communicate, and a web session is a series of HTTP requests and response transactions created by the same user. Since HTTP is a stateless protocol, where each request and response pair is independent of other web interactions, each command runs independently without knowing previous commands. In order to introduce the concept of a session, it is necessary to implement session management capabilities that link both the authentication and access control (or authorization) modules commonly available in web applications.
There are two types of session management – cookie-based and URL rewriting. These can be used independently or together. A web administrator uses session management to track the frequency of visits to a website and movement within the site.
Learn about website authentication best practices and session management in Java. Read our articleSession Cookie Secure Flag Java.
When user authentication and session management is not correctly configured, attackers may be able to compromise passwords, session tokens or keys to gain access to users accounts and assume their identities. It’s important for developers to ensure they’re using the latest version of any framework, to securely configure session management options and to adopt application security testing protocols to identify and remediate any issues.