View a complete list of Web 2.0 Expo contacts.
Strong session management is a crucial part of a secure web application. Since HTTP does not directly provide a session abstraction, application developers must bake their own using cookies.
However, it is surprisingly easy to make a mistake here, even when the application uses a sophisticated application framework. When we perform security reviews of web applications, we almost always find fatal flaws in this area that would allow a malicious person to steal sensitive data, perform fraudulent financial transactions, and generally ruin a user’s day.
Developing an application with secure session management requires developers to understand the few (but crucial) subtleties of cookies—their attributes, their values, and how to keep them confidential—and to understand how real-world attackers are abusing weak session management right now.
In this session we hope to help web application designers, developers, and operators create and deploy secure web applications. (Or at least applications in which session management is not the weakest link!)
Chris Palmer is a senior security consultant with iSEC Partners, a strategic digital security company. Prior to iSEC, Chris worked for the Electronic Frontier Foundation where he provided technical management and analysis of several key EFF projects and provided technical advice to EFF (and other) lawyers. Prior to the EFF, Chris built web applications.