Syllabus Point
- Design, develop and implement code considering efficient execution for the user
Including:
- memory management
- session management
- exception management
Design, develop and implement code considering efficient execution for the user.
Memory management
The practices and techniques used to protect sensitive data in memory (passwords, session tokens, encryption keys) and ensure they are not exposed to unauthorised users, and are cleared from memory when no longer needed.
Key concepts:
- Avoid storing sensitive data in plain text, and instead use hashed versions.
- Clear sensitive data from memory after processing it.
- Use secure libraries to handle sensitive information to ensure they follow good practises for memory security.
- Avoiding buffer overflows, by validating the size of inputs and ensuring memory is accessed within defined bounds.
- Buffer overflow is when a program writes more data to a memory location than it can hold and potentially overwrites adjacent memory
- Some languages have automatic memory management, so garbage collection helps release unused memory automatically.
- Developers should still optimise memory use by reducing the number of unnecessary object creations.
Session management
Session management is about maintaining a user’s state and data across multiple interactions with a web application. A session is a way for a web application to remember the state of a user across multiple interactions or page loads. They are usually managed using cookies, which are small pieces of data stored in the user’s browser and have a session ID which is used to recognise and authenticate the user.
Key concepts:
Session ID
Unique identifier stored in a cooker in the user’s browser and passed to the server with each request.
Usually randomly generated, encrypted, and expire after a certain period.
Should be stored securely to prevent session fixation or session hijacking.
Session timeout
Sessions should automatically expire after a period of inactivity to reduce the risk of unauthorised access.
Session regeneration
The session ID should be regenerated during key events (login or password change) to prevent session fixation attacks.
Session cookies
Session cookies should only be stored using HttpOnly and Secure flags to prevent JavaScript from accessing the cookie, and ensuring the cookie is only transmitted over encrypted HTTPS connections.
Key vulnerabilities:
Session fixation attacks and hijacking.
Session fixation is when attackers set or fix the session ID of a user before they log in, to trick them into logging in with a known session ID and accessing the user’s data.
Session hijacking occurs when an attacker takes over a user’s active session by intercepting or stealing a valid session ID through man-in-the-middle attacks or XXS, and impersonating the user to access their account.
Exception management
Exception management involves handling unexpected events during execution. Proper handling ensures that errors do not lead to application crashes, data corruption or exposure of sensitive information.
Software shouldn’t crash or abruptly end.
Internal details should stay hidden, and error messages shouldn’t reveal sensitive information.
Logging helps developers track and analyse error patterns.
Only stores necessary details to reduce memory and storage usage.
Related Resources
Keep Progressing
Use the lesson navigation below to move through the module sequence.
