nerdexam
(ISC)2

CISSP · Question #315

Access to which of the following is required to validate web session management?

The correct answer is C. Session state variables. Validating web session management requires examining session state variables, which contain the actual session data such as tokens, identifiers, and authentication states that define how sessions are created, maintained, and terminated.

Submitted by kwame.gh· Mar 5, 2026Software Development Security

Question

Access to which of the following is required to validate web session management?

Options

  • ALog timestamp
  • BLive session traffic
  • CSession state variables
  • DTest scripts

How the community answered

(67 responses)
  • A
    4% (3)
  • B
    7% (5)
  • C
    73% (49)
  • D
    15% (10)

Why each option

Validating web session management requires examining session state variables, which contain the actual session data such as tokens, identifiers, and authentication states that define how sessions are created, maintained, and terminated.

ALog timestamp

Log timestamps record when events occurred but do not reveal the content or structure of session data necessary to assess session management controls.

BLive session traffic

Live session traffic captures network-level data in transit, but without examining the session state variables themselves, it is insufficient to fully validate how the application manages session state internally.

CSession state variablesCorrect

Session state variables directly reflect how the application manages session lifecycle, including session token generation, expiration, invalidation, and storage. Reviewing these variables allows a tester to verify that sessions are properly created upon authentication, securely maintained during interaction, and correctly destroyed upon logout, which are the core aspects of session management validation.

DTest scripts

Test scripts are tools used to execute tests but are not the source of information needed to validate session management; they do not themselves contain the session state data under review.

Concept tested: Web session management validation and session state analysis

Source: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/README

Topics

#web session management#session state#web application security#security testing

Community Discussion

No community discussion yet for this question.

Full CISSP Practice