3.1 Uses default session management

Verify that there is no custom session manager, or that the custom session manager is resistant against all common session management attacks.

Levels: 1, 2, 3


Implementations built from scratch are often weak and breakable. Developers are strongly discouraged from implementing their own Session Management. Leading web frameworks have undergone rounds of testing and fixing that leave them using secure methods of token generation. There is no value in re-writing such basic building blocks.


First grep the codebase for usage of ‘session_set_save_handler‘. Though (rarely) it’s also possible that a developer could have implemented his own session mechanism without even using the default session functions. For this you’ll have to look at each part of the application and how it stores and retrieves state across page requests.