Thread: Session Management

Hi ive got this horrible example exam question to revise and i have no idea really about any of this has anyone got any ideas:

Session management presents significant problems in database-driven web-based applications, as has been illustrated by widely publicised cases where users have been able to view the account information of other users.

Produce a set of guidelines for the effective implementation of session management. Your answer should include critically evaluations of the following session management mechanisms:
¨ Cookies
¨ URL modification
¨ Hidden fields
¨ Session variables

Thankyou
Charlie

basically they're saying that there are no truly secure ways to conduct e-commerce fundamentally caused by HTTP being a stateless protocol. To maintain state you have to use one of those methods which all have inherent problems

Cookies: user may turn them off. Varying browser support, sometimes patchy. User can easily delete them

URL modification: other people can hijack the URL, so they can pose as the person. They get to see any information intended for that person, which may include account/credit card info

Hidden fields: View Source is a developer's worst enemy

Session vars: Usually tie in with cookies or url modification. If access isn't correctly setup, other people can read them and hence get the information they contain. Also, the info is usually displayed to the user at some stage, which relates back to the URL hijacking.

That is a real help,

Thanks
Charlie