Security Broken Authentication And Session Management

security

// Security - Broken Authentication and Session Management:

Examples of broken authentication and session managment:

1. applications that supports URL rewriting, and putting session IDs in the URL.
   An An authenticated user of the site wants to let his friends know about the 
   sale. He e-mails the above link without knowing he is also giving away his 
   session ID. When his friends use the link they will use his session and 
   credit card.

2. Application’s timeouts aren’t set properly. User uses a public computer to 
   access site. Instead of selecting “logout” the user simply closes the browser 
   tab and walks away. Attacker uses the same browser an hour later, and that 
   browser is still authenticated.

3. Insider or external attacker gains access to the system’s password database. 
   User passwords are not properly hashed, exposing every users’ password to the 
   attacker.

To Prevent 'Broken Authentication and Session Management':

1. meet all the authentication and session management requirements defined in 
   OWASP’s Application Security Verification Standard (ASVS) areas V2 
   (Authentication) and V3 (Session Management).

2. have a simple interface for developers. Consider the ESAPI Authenticator and 
   User APIs as good examples to emulate, use, or build upon:
   http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/
   Authenticator.html
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License