A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


The little-known horrors of web application session management - Matthew Sullivan Derbycon 2015 (Hacking Illustrated Series InfoSec Tutorial Videos)

The little-known horrors of web application session management
Matthew Sullivan
Derbycon 2015

Web application session management sounds pretty straightforward, right? Send creds, get a cookie, send the cookie on subsequent requests, and you're in. While that may be true, it's only half of the (horror) story. In this technical, example-driven talk, we'll dive into session management issues in a manner friendly to both newbies and veterans alike. We'll describe some of the more common web app session management issues, discover industry trends ("I don't need no stinkin' database!"), detail some of the new directions in session management security. I'll wrap up the talk by demonstrating some ways in which web app sessions can be made more resilient to attacks.

Matthew Sullivan is a pentester, developer, and security analyst living in Ames, Iowa. Matthew is the co-founder of the OWASP Ames chapter, creator of the Cookie Cadger HTTP session auditing tool, and an occasional presenter to both technical and non-technical audiences at various conferences and seminars.

Back to Derbycon 2015 video list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2016, IronGeek
Louisville / Kentuckiana Information Security Enthusiast