HTTP (the protocol used to deliver web pages) is stateless, which means that each request and response is independent of each other. The problem with this is that websites have no way of tracking who you are as you travel from one page to another. Imagine having to repeatedly log on to each page you visit – it’d be a nightmare! This is where session management comes in.
A session is a collection of inter communications between a consumer and an application within a given time-frame. When done correctly, session management allows for a fluid user experience. Users are able to log in and traverse the site, having all their preferences (such as whether or not dark mode is enabled, their currency, and language) remembered and configured to their liking. When it is done poorly however, security risks are created, and attackers may be able to do things like hijack users’ accounts and assume their identities.
A recent example of poor session management is a bug which was disclosed by Twitter. Typically when a user logs out, active logged-in sessions on all devices are destroyed. This way, if a user loses their phone or suspects someone is logged into their account, they can reset the password and their account will be logged out of all devices. The bug in Twitter prevented active logged-in sessions on Android and iOS from being deleted after an account’s password was reset.
Session management vulnerabilities can be avoided in the first place by secure coding practices (which can be learned through secure code training), or revealed in things like penetration tests and code reviews. Vertex Cyber Security has helped many clients write good secure code and revealed vulnerabilities such as this in code reviews and penetration tests. If you would like to talk to our cyber security experts, feel free to contact us on 1300 2 CYBER (29237) or .
