This series, and my blog, have moved!
It is my firm opinion that only the session management features in your framework should be used to manage identity or a user session. The HTTP 1.1 protocol was never designed to manage these concepts and thus there is no default way to do this built into it. When you choose a framework, such as .Net, Ruby or Spring, they have built in features to handle this, and you should always use those features. Don’t be tempted to think you can do better on your own, let the experts handle this for you.
As an ex-dev, I know the temptation to write your own. Trust me, don’t.
Much of the information in this section was learned from the OWASP Cheat Sheet — Session Management, as written by Raul Siles. For a much more in-depth look on this topic, check it out.
Below is general guidance on session management. Again, always use the features in your framework and otherwise use the advice below...
Top comments (1)
Do you mean 128-bits(16 bytes) of entropy?