Posts

Showing posts from January, 2013

Have a personal compass, keep it pointed "true north"

Have principles and practices  This is super important because: you become your practice and principles. Here's some of mine: I think about my work, I research approaches, I ask a lot of questions, I am visual, show me the mocks, I create design diagrams such as uml diagrams,  I refactor and code together, I write tests, I work on projects which develop incrementally (design, code, test, repeat) etc. I respect and look for others opinions, I like to have fun in work and not take myself too seriously I estimate the work as best I can, but am often wrong, thats estimates innit! I'm not dogmatic, whats works is often best when developing a product I don't like bullshitters at any level and I'll follow courageous tech leaders over the top and into battle any day. I need to see a realistic plan When shit hits the fan, take a deep breath and look to the data. Don't be run by emotions. MVC has principles. If someones violating then they have to refactor and fix a

Web App Session Management security risks and countermeasures

Session management is a fundamental feature of a majority of web applications. Since http is stateless then sessions are typically what allows application to uniquely identify users across requests. If an application allows a user to login then the session is even more important because it also identifies a user as being authenticated. Even if a user does not login, sessions are used for features such as carts for guest users. All this makes sessions a prime target for hacker attacks. If a hacker can access a session then they can impersonate a user i.e. they can "hijack" a session and pretend to be that user. The most common session technique is to issue each user with a session id/token. On each request the session id is submitted and the app on the server can then identify the user. HTTP Cookies are used in most cases to exchange session id. The server responds with a "Set Cookie" HTTP Header and thereafter the browser sends the cookie back to the server in