The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Some applications do not issue ses-

sion tokens in order to manage the state of a user’s interaction with the

application but rather transmit all data required to manage that state

via the client, usually in a cookie or a hidden form field. In effect, this

mechanism uses sessionless state in a similar way to the ASP.NET

ViewState. In order for this type of mechanism to be secure, the data

transmitted via the client must be properly protected. This usually

involves constructing a binary blob containing all of the state informa-

tion, and encrypting or signing this using a recognized algorithm. Suffi-

cient context must be included within the data to prevent an attacker

from collecting a state object at one location within the application and

submitting it to another location to cause some undesirable behavior.

The application may also include an expiration time within the object’s

data, to perform the equivalent of session timeouts. Chapter 5 describes

in more detail secure mechanisms for transmitting data via the client.

■