Invalidating a session using session id
There are four techniques which can be used to identify a user session.a) Cookiesb) Hidden Fieldsc) URL Rewritingd) Session Object With Cookies , Hidden Fields and URL rewriting approaches, client always sends a unique identifier with each request and server determines the user session based on that unique identifier where as session tracking approach using Session Object uses the other three techniques internally.
Cookie is a key value pair of information, sent by the server to the browser and then browser sends back this identifier to the server with every request there on.
URL Rewriting is the approach in which a session (unique) identifier gets appended with each request URL so server can identify the user session.
For example if we apply URL rewriting on it will become something like?
j Session Id=XYZ where j Session Id=XYZ is the attached session identifier and value XYZ will be used by server to identify the user session.
There are several advantages of URL rewriting over above discussed approaches like it is browser independent and even if user’s browser does not support cookie or in case user has disabled cookies, this approach will work.
If you were reviewing an application against the ASVS standard and you noticed that the Session ID had changed on logout you can be pretty sure that all session data has been cleared and is no longer available from the client.
Yes, technically it is possible to code a system to migrate any session data to the new session, but as there is no real reason to do this it is a good measure of the quality of the application's session handling.
In computer network security, session fixation attacks attempt to exploit the vulnerability of a system which allows one person to fixate (set) another person's session identifier (SID).Stack Exchange network consists of 175 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers. The Session ID itself can be viewed as a piece of private information that was associated with the authenticated user session.Visit Stack Exchange I do not see a clear point why it is necessary to have the session id changed or cleared after logout. Clearing this ID from the client side ensures that this private value is no longer available.We will discuss Cookie in detail in one of the upcoming chapters .Cookie object can be created using a name value pair.
Server sends back this Id to the client and there on , browser sends back this ID with every request of that user to server with which server identifies the user Browser session and server sessions are different.