Session Management

Session Lifecycle

Session Creation > Session Assign > Session Exchange > Session Termination

Session Creation:

1. Session ID Strength
2. Cookie Set with parent Domain
3. Cookie path attribute set insecurely
4. Session Puzzling Attack

Session Assign

1. Cookie created with out the HTTPOnly Flag
2. Cookie created without Secure flag(SSL)

Session Exchange

1. Session ID contained in URL
2. Multiple Session Allowed
3. IP Hoping
4. Kiosk Issue

Session Termination

1. No Logout Button
2. Session Expiration Issue
3. Session Not Expired on Logout
4. Session Timeout

Chat GPT long one: https://ajaymonga.medium.com/session-management-lifecycle-8a0a554f4015

Approach

1. Check session cookies, tokens, and URL
2. Browser storage for sessions and cookies
3. Intercept HTTP to see session exchange
4. Check the session lifecycle

Now > identifying possible weak spots > exploit them > document it

Chat GPT one according to Session Lifecycle: https://ajaymonga.medium.com/session-management-issues-test-approach-95c2d032becb

By Chat GPT: https://ajaymonga.medium.com/approach-during-session-management-vulnerabilities-during-penetration-testing-59aad792c6d0