I’m improving security of user sessions in my web application, but I got into trouble. Some of items from my list of security improvements causes user to relogin from time to time. Here’s my list, which of then are widely accepted and used? Which are used by you?
- checking users ip address (it changes for mobile internet connection) edit: there’s no reasonable way to gain access to user ip
- checking HTTP_USER_AGENT(some browsers like IE and mobile devices browsers changes it from time to time during single session)
- allowing only one session per one user id (when user log in from two locations, he’s signed out in the first one)
- regenerating session id after each request
Are there any other? My application doesn’t process too sensitive data, but should be protected at certain level.
Given that the HTTP_USER_AGENT is controlled by an attacker, you can’t trust it, but you can use it as a signal to detect when a user is legitimately logged in and an impersonator is logged in. The IP address is a similar signal. You may want to look at such signals and choose to weight them so that you get a tolerable level of false negatives.
Depending on what you mean by it, it may not be strictly necessary, but if you are going to do
then you do need to invalidate the old ID when you assign the new to avoid the class 1 session fixation vulns : “A web application authenticates a user without first invalidating the existing session ID, thereby continuing to use the session ID already associated with the user.”
When generating IDs, make sure you don’t allow untrusted inputs to limit the session IDs that you might generate and make sure your session IDs aren’t predictable. Otherwise you are susceptible to the type 2 session fixation attacks : “An attacker is able to force a known session ID on a user so that, once the user authenticates, the attacker has access to the authenticated session.”
See https://www.owasp.org/index.php/Session_Management for other security tips on dealing with sessions.