token is issued each time you log in. If the latter occurs, then the applica-

■

If tokens appear to contain any structure and meaning, attempt to sepa-

Proper termination of sessions is important for two reasons. First, keeping the

lifespan of a session as short as is necessary reduces the window of opportu-

nity within which an attacker may capture, guess, or misuse a valid session

token. Second, it provides users with a means of invalidating an existing ses-

sion when they no longer require it, thereby enabling them to reduce this win-

dow further and to take some responsibility for securing their session in a

shared computing environment. The main weaknesses in session termination

functions involve failures to meet these two key objectives.

Some applications do not enforce effective session expiration. Once created, a

session may remain valid for many days after the last request is received, before

it is eventually cleaned up by the server. If tokens are vulnerable to some kind of

sequencing flaw that is particularly difficult to exploit (for example, 100,000

guesses for each valid token identified), an attacker may still be able to capture

the tokens of every user who has accessed the application in the recent past.

Some applications do not provide effective logout functionality:

■■

In some cases, a logout function is simply not implemented. Users have

■■

In some cases, the logout function does not actually cause the server to

browser (for example, by issuing a 

Set-Cookie

instruction to blank the