1
00:00:00,930 --> 00:00:02,550
‫Session related issues.

2
00:00:03,590 --> 00:00:08,420
‫So cookies are used to implement session management for Web applications.

3
00:00:09,450 --> 00:00:15,240
‫In order to avoid attacks against session management, an application should have a good cooking policy

4
00:00:15,240 --> 00:00:20,400
‫because the session ID that identifies the user is carried in the cookie.

5
00:00:21,410 --> 00:00:24,860
‫That's why cookies are so very important to an application, my.

6
00:00:25,780 --> 00:00:32,980
‫So now let's talk about the session ID value that is transported in the cookies, the session ID represents

7
00:00:32,980 --> 00:00:39,970
‫the user, so after the user logs into the application, it is as important as a login data itself.

8
00:00:40,150 --> 00:00:41,350
‫Username and password.

9
00:00:41,960 --> 00:00:51,400
‫A session ID value should be unique, random, unpredictable, and long enough so these properties can

10
00:00:51,400 --> 00:00:56,500
‫make the session ID resistant to session analyzing and brute force attacks.

11
00:00:57,280 --> 00:01:01,000
‫But often, very often this is not enough for protection.

12
00:01:01,720 --> 00:01:07,370
‫The application should transport the session value in a safe way, such as https.

13
00:01:08,140 --> 00:01:14,620
‫So now we have a session ID value that is transported safely and it's strong against attacks.

14
00:01:15,250 --> 00:01:21,000
‫But the last thing is that a session ID should also have a lifetime.

15
00:01:21,730 --> 00:01:23,470
‫I mean, this is absolutely true.

16
00:01:23,920 --> 00:01:28,450
‫Assessing value should be created and live until a certain time.

17
00:01:28,990 --> 00:01:32,630
‫That's why this session ID should have an expiration date.

18
00:01:33,340 --> 00:01:39,610
‫So in general, for a session ID values, if the expiry date is not set, the season well lasts until

19
00:01:39,610 --> 00:01:47,500
‫the browser is closed and if it's directly set in the session, ID will be stored in the browser until

20
00:01:47,500 --> 00:01:48,780
‫the expiry date.

21
00:01:49,540 --> 00:01:50,680
‫So spend Testa's.

22
00:01:50,680 --> 00:01:56,950
‫We should check all of these properties and then report all of those findings about the insecure session

23
00:01:56,950 --> 00:01:57,820
‫ID values.