Centralised Management of Web Application Sessions
Web apps use a server to handle and secure user sessions instead of relying on the user's device.
Plain language
This control means that when you use a web application—like online banking or a shopping site—your session is managed and secured on the company's server rather than relying on just your computer or phone to keep the connection safe. This is important because if the session was managed only on your device, it might be easier for hackers to hijack your session and pretend to be you, possibly leading to unauthorised access to your accounts and sensitive information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentSection
Web application developmentOfficial control statement
Web application sessions are centrally managed server side.
Why it matters
Without centralised, server-side session management, attackers can more easily hijack sessions, gaining unauthorised access to web application data.
Operational notes
Manage all web app sessions centrally on the server (avoid client-stored session state), rotate session IDs on login, and monitor for anomalous session reuse.
Implementation tips
- The IT team should ensure that the web applications they develop or use are designed to handle user sessions centrally on the server. This involves configuring the server to manage session authentication and timeout settings securely, minimising the risk of session hijacking.
- The web application developer should implement server-side session management by using established frameworks or libraries that provide built-in session handling. This helps manage user log-ins, log-outs, and session data in a secure and streamlined manner.
- System administrators should monitor server logs for any unusual session activities, like repeated attempts to hijack active sessions. Set up alerts for any anomaly, which allows timely intervention to protect user data.
- Managers of web application projects should conduct regular training for staff on the importance of server-side session management. This training could include real-world examples of session hijacking and how server-side management offers protection.
- Procurement teams should evaluate web application options, ensuring they include centralised session management features. They should prioritise solutions that have strong security credentials in place, verified by reputable security certifications.
Audit / evidence tips
-
Askthe web application's architecture diagram: Review where session management is highlighted and ensure it is designed to be server-side
Goodshows clear indications of server-side logic with supporting documentation
-
Goodis logs showing seamless session tracking with zero irregular activities
-
Askprocedure documentation on how sessions are managed: Review instructions that guide developers on implementing server-side session handling
Goodincludes step-by-step procedures and examples of utilised frameworks or libraries
-
Goodis a report showing regular sessions, updated content, and attendance lists
-
Asksecurity assessment reports on web applications in use: Examine if the assessment covered session management vulnerabilities and made recommendations
Goodshows reassessment results post-implementation of recommendations, confirming the server-side session management is robust
Cross-framework mappings
How ISM-2066 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.28 | ISM-2066 requires web application sessions to be centrally managed server side to reduce risks such as session tampering and weak client-... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.