The Web is built on the shoulders of HTTP, a stateless protocol for transferring hypertext. Modern and complex web applications keep track of a user’s state within so-called web sessions. A session usually starts either when a user connects or logs in to a website. Logging in usually promotes a session to access sensitive functionality and data. At last, a web server may destroy a session after an expiration time or when a user logs out. In all of these stages, the security of session management plays an important role, as flaws may lead to the leakage of credentials, the exposure of personally identifiable information or lengthen the time frame for possible attacks unnecessarily.
In this paper, we report on the state of session security on more than 6000 websites. We assess the widespread of well-known security flaws for all stages in the lifecycle of a web session: before logging in, logged in, and after logging out. Our findings show that a substantial portion of sites suffer from well-known vulnerabilities or follow insecure practices. Which one these are and how to protect against them is discussed in length in our paper.