CISSP · Question #499
Which of the following will help prevent improper session handling?
The correct answer is B. Ensure that tokens are sufficiently long, complex, and pseudo-random.. The best way to prevent improper session handling is to ensure that tokens are sufficiently long, complex, and pseudo-random. Session handling is a process of managing the state and interaction of a user with a web application or service. Session handling typically involves creat
Question
Which of the following will help prevent improper session handling?
Options
- AEnsure that all UlWebView calls do not execute without proper input validation.
- BEnsure that tokens are sufficiently long, complex, and pseudo-random.
- CEnsure JavaScript and plugin support is disabled.
- DEnsure that certificates are valid and fail closed.
How the community answered
(52 responses)- A6% (3)
- B85% (44)
- C2% (1)
- D8% (4)
Explanation
The best way to prevent improper session handling is to ensure that tokens are sufficiently long, complex, and pseudo-random. Session handling is a process of managing the state and interaction of a user with a web application or service. Session handling typically involves creating, maintaining, and terminating a session, which is a temporary and unique identifier that links the user to the web application or service. A session token is a value that is generated and assigned to the user when the user authenticates to the web application or service, and it is used to track and validate the user's requests and responses. A session token is usually stored in a cookie, a hidden field, or a URL parameter, and it is sent along with each request and response. Improper session handling is a security risk that occurs when the session token is exposed, intercepted, guessed, or stolen by an attacker, who can then use it to impersonate or hijack the user's session, and gain unauthorized access or privileges to the web application or service. To prevent improper session handling, the session token should be sufficiently long, complex, and pseudo-random, meaning that it should have enough length and entropy to resist brute-force or dictionary attacks, and it should be generated using a secure random number generator that produces unpredictable and non-repeating values. Ensuring that all UIWebView calls do not execute without proper input validation, ensuring JavaScript and plugin support is disabled, and ensuring that certificates are valid and fail closed are not the best ways to prevent improper session handling, as they are not directly related to the session token generation or management, or they may not be applicable or feasible in all scenarios.
Topics
Community Discussion
No community discussion yet for this question.