Session Identifier

From IDESG Wiki
Jump to navigation Jump to search

Proposed Definition

  1. An artifact created by some Digital Entity on the internet to track an user during a limited connection with that user.
  2. An identifier that is created when a user signs into a site and is destroyed when the user signs out, or is signed out by the web site.


  1. This identifier will nearly always be present when browsing to create continuity of a user experience even though HTTP is designed as a "stateless" protocol.


  • On Wikipedia, a session identifier, session ID or session token is a piece of data that is used in network communications (often over HTTP) to identify a session, a series of related message exchanges.
  • Session ID (sid) in OpenID Connect Front-channel Logout - String identifier for a Session. This represents a Session of a User Agent or device for a logged-in End-User at an RP (from the definition). Different sid values are used to identify distinct sessions at an OP. The sid value need only be unique in the context of a particular issuer. Its contents are opaque to the RP. Its syntax is the same as an OAuth 2.0 Client Identifier, but is otherwise not specified. It represents the IdP's concept of a session, which may bear no relation to the session between the RP and the user agent as described above.
  • Session_id in HTTPS (TLS) This will be used for the TLS connection. If the session_id from the client is not empty, the server will search for previously cached sessions and resume that session if a match is found. While this session ID is not made available to upper level software implementations in common commercial software, the RFC 5705 Keying Material Exporters for Transport Layer Security (TLS) spec describes a method for a client and a server to select a common value known as Exported Keying Material (EKM) from the TLS session by a method that attackers should not be able to duplicate.
  • A session ID is a unique number that a Web site's server assigns a specific user for the duration of that user's visit (session). The session ID can be stored as a cookie, form field, or URL (Uniform Resource Locator). Some Web servers generate session IDs by simply incrementing static numbers. However, most servers use algorithms that involve more complex methods, such as factoring in the date and time of the visit along with other variables defined by the server administrator.
  • Session Management Cheat Sheet from OWASP. The session ID or token binds the user authentication credentials (in the form of a user session) to the user HTTP traffic and the appropriate access controls enforced by the web application. A strong assertion is made that the session ID must be secure and not guessable.
  • W3C Session Identification URI where an Uniform Resource Identifier for identifying HTTP sessions is described. Session identification URIs permit HTTP transactions to be linked within a limited domain. This provides a balance between the needs of commercial servers for demographic data collection and the privacy concerns of users. In addition session identification URIs may be used as part of a high security authentication mechanism to prevent replay attacks.
  • Microsoft defines the session ID as enabling an ASP.NET application to associate a specific browser [user agent] with related session data and information on the Web server. Session ID values are transmitted between the browser and the Web server in a cookie, or in the URL if cookieless sessions are specified.

Privacy Considerations

  1. Some jurisdictions require users to accept, or at least to know, when they are being tracked with cookies. It is not clear if other tracking mechanisms, like state in the HTTP are covered by the same restrictions.
  2. DO NOT TRACK (DNT) in HTTP is described here.
  3. If the session identifier or a subject ID can be used to correlate information in one RP session with an unrelated RP session, then user profiles can be accumulated by large social entities on the internet.
  4. Otherwise the EU has determined that session ids are not necessarily a privacy threat that is covered by the GDPR.

Security Consideration

  1. OWASP has enumerated methods for testing if a session exposes information that can be used by attackers to hijack a user's authenticated session with an RP.




Quick Links: Taxonomy | Taxonomy Project Management | Taxonomy AHG Catalog | Taxonomy AHG Glossary |