Sponsors
  • Etelos
  • IBM
  • Microsoft
  • Adobe Systems, Inc.
  • Cynergy
  • Nokia
  • Openmaru Studio
  • WebEx
  • AOL
  • Citrix Systems
  • Coghead
  • Confident Technologies
  • Disney
  • Disney
  • EffectiveUI
  • F5 Networks
  • HCL Technologies
  • Intuit Quickbase
  • Oracle
  • S60
  • Salesforce.com
  • Spinscape
  • Sun Microsystems
  • Symphoniq Corporation
  • TeleAtlas
  • Yahoo! Inc.
  • Amazon Web Services
  • Atlassian Software Systems
  • awareness
  • BroadSoft
  • Curl
  • Denodo
  • Dixero
  • Force10 Networks
  • Humanix Inc.
  • Intel
  • JackBe
  • Jaduka
  • Jive Software
  • Juniper Networks
  • Kapow Technologies
  • Keynote Systems
  • Leverage Software
  • LiquidApps
  • LithiumTechnologies
  • LongJump
  • Morfik
  • Mzinga
  • NeuStar
  • Octopz
  • ONEsite
  • OpSource
  • Panther Express
  • Profy
  • Real Time Content
  • Rearden
  • Rearden Commerce
  • Remy
  • Reply
  • spigit
  • StreamVerse, Inc.
  • StrikeIron
  • XBOSoft
  • Znak
  • O'Reilly Alpha Tech Ventures
  • Panorama Capital
  • ACM Queue
  • Berlin Partner
  • BlogHer
  • Business Marketing Association
  • Dr. Dobbs
  • Fast Company
  • GigaOM
  • Juniper Research
  • Mashable
  • MSDN Magazine
  • NewTeeVee
  • Revenue Magazine
  • TechNet
  • Technorati
  • Topix
  • Webware
  • Wired
  • WOW

Sponsor & Exhibitor Opportunities

Vicki Sanders
415-947-6107
vsanders@techweb.com

Media Sponsor Opportunities

Liliana Arancibia
415-947-6179
larancibia@cmp.com

Press/Media Inquiries

confpr@oreilly.com

or

Natalia Wodecki
415-947-6762
NWodecki@cmp.com

Contact Us

View a complete list of Web 2.0 Expo contacts.

Secure Session Management for Web Applications

Development
Location: 2006 Level: Expert

Strong session management is a crucial part of a secure web application. Since HTTP does not directly provide a session abstraction, application developers must bake their own using cookies.

However, it is surprisingly easy to make a mistake here, even when the application uses a sophisticated application framework. When we perform security reviews of web applications, we almost always find fatal flaws in this area that would allow a malicious person to steal sensitive data, perform fraudulent financial transactions, and generally ruin a user’s day.

Developing an application with secure session management requires developers to understand the few (but crucial) subtleties of cookies—their attributes, their values, and how to keep them confidential—and to understand how real-world attackers are abusing weak session management right now.

In this session we hope to help web application designers, developers, and operators create and deploy secure web applications. (Or at least applications in which session management is not the weakest link!)

Chris Palmer

iSEC Partners

Chris Palmer is a senior security consultant with iSEC Partners, a strategic digital security company. Prior to iSEC, Chris worked for the Electronic Frontier Foundation where he provided technical management and analysis of several key EFF projects and provided technical advice to EFF (and other) lawyers. Prior to the EFF, Chris built web applications.