Web application session management sounds pretty straightforward, right? Send creds, get a cookie, send the cookie on subsequent requests, and you're in. While that may be true, it's only half of the (horror) story. In this technical, example-driven talk, we'll dive into session management issues in a manner friendly to both newbies and veterans alike. We'll describe some of the more common web app session management issues, discover industry trends ("I don't need no stinkin' database!"), detail some of the new directions in session management security. I'll wrap up the talk by demonstrating some ways in which web app sessions can be made more resilient to attacks.

Matthew Sullivan is a pentester, developer, and security analyst living in Ames, Iowa. Matthew is the co-founder of the OWASP Ames chapter, creator of the Cookie Cadger HTTP session auditing tool, and an occasional presenter to both technical and non-technical audiences at various conferences and seminars.

Back to Derbycon 2015 video list