The Little-Known Horrors of Web Application Session Management

DerbyCon V - Unity

Presented by: Matthew Sullivan
Date: Sunday September 27, 2015
Time: 10:00 - 10:50
Location: Track 1
Track: Break Me

Web application session management sounds pretty straightforward, right? Send creds, get a cookie, send the cookie on subsequent requests, and you’re in. While that may be true, it’s only half of the (horror) story. In this technical, example-driven talk, we’ll dive into session management issues in a manner friendly to both newbies and veterans alike. We’ll describe some of the more common web app session management issues, discover industry trends (“I don’t need no stinkin’ database!”), detail some of the new directions in session management security. I’ll wrap up the talk by demonstrating some ways in which web app sessions can be made more resilient to attacks.

Matthew Sullivan


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats