DEV Community 👩‍💻👨‍💻

Tanya Janca for Microsoft Azure

Posted on • Updated on

Pushing Left, Like a Boss — Part 5.4 — Session Management

This series, and my blog, have moved!

It is my firm opinion that only the session management features in your framework should be used to manage identity or a user session. The HTTP 1.1 protocol was never designed to manage these concepts and thus there is no default way to do this built into it. When you choose a framework, such as .Net, Ruby or Spring, they have built in features to handle this, and you should always use those features. Don’t be tempted to think you can do better on your own, let the experts handle this for you.

As an ex-dev, I know the temptation to write your own. Trust me, don’t. As an ex-dev, I know the temptation to write your own. Trust me, don’t.

Much of the information in this section was learned from the OWASP Cheat Sheet — Session Management, as written by Raul Siles. For a much more in-depth look on this topic, check it out.

Below is general guidance on session management. Again, always use the features in your framework and otherwise use the advice below...

Read the rest of this article on my NEW blog!

Top comments (1)

tarialfaro profile image
Tari R. Alfaro

Session IDs should be at least 128 characters long.

Do you mean 128-bits(16 bytes) of entropy?

🌚 Browsing with dark mode makes you a better developer by a factor of exactly 40.

It's a scientific fact.