Menu
On the OWASP web site one of their top ten items states that we should consider regenerating a new session upon successful authentication or privilege level change.
What would be the correct way of doing this?
One thing a co-worker has told me but I haven't tested is that when a user uses browser tabs each tab does not get it's own session, so I think that would negate the whole exercise.
Thanks, Paul Speranza
Depending on the language you are using, you would simply call something like session.invalidate() and then redirect which would create a new session.
118
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
