When is the best time to assign session ids?
- Have a single session id for a complete browser instance.
a session ID to a user on the login page.
- On logout change the
session ID to a new value.
- Assign a session id after authentication,
change it at logout.
The best option is 4. Assign a session ID after authentication, change
it at logout.
Web applications must establish sessions to keep track of the stream of requests
from each user. Applications do this by assigning a unique value to each user
and check for this value in each request to identify the user. This value is
a session token. Most of the times the web application environment provides
session management capability, but many developers prefer to create their own
session tokens. In either case, if the session tokens are not properly implemented,
an attacker can hijack an active session and assume the identity of a user.
Option 1: Have a single session id for a complete browser instance. If there
is a single session ID assigned to a browser, then every user who logs through
that browser will get the same session id. Suppose an attacker uses the application
and logs out without closing the browser. A valid user then uses the same browser
instance to log into the application. The attacker already knows the session
ID and can hijack the user's session from another system.
Option 2: Assign a session ID to a user on the login page. It means that the
session ID provided at the login page is same as the session id after authentication.
The issue with this method is similar to that in option 1. An attacker can
steal the session ID from the home page and leave without logging in. When
a user logs into the application, on authentication the same session ID is
Option 3: On logout change the session ID to a new value. This option is actually
just a variation of the previous option. Here when a user logs out of the application,
the session ID value changes. This new value is bound to the next user after
authentication. So, in effect the session ID on the login page is what is assigned
to the user on authentication. So an attacker can note the session ID after
logging out and when another user logs in through the same browser, can hijack
Option 4: Assign a session id after authentication, change it at logout. This
is the most secure method of assigning session IDs. Since the value is different
before login, after login and after logout, an attacker cannot steal the session