Flawed authentication and session management are the second most critical vulnerability in web applications nowadays.
Authentication is the process whereby users prove that they are who they say they are; this is usually done through usernames and passwords. Some common flaws in this area are permissive password policies and security through obscurity (lack of authentication in supposedly hidden resources).
Session management is the handling of session identifiers of logged users; in Web servers this is done by implementing session cookies and tokens. These identifiers can be implanted, stolen, or "hijacked" by attackers by social engineering, cross-site scripting or CSRF, and so on. Hence, a developer must pay special attention to how this information is managed.
In this recipe, we will cover some of the best practices when implementing username/password authentication and to manage the session identifiers of logged users.
Login data is incorrect.
Invalid username or password.
Access denied.
http://
is used in the URL and prevents the overriding of the "invalid certificate" message, for example, the one that shows when using Burp Suite. For more information, you could check: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security.Authentication mechanisms in Web applications are very often reduced to a username/password login page. Although not the most secure option, it is the easiest for users and developers; and when dealing with passwords, their most important aspect is their strength.
As we have seen throughout this book, the strength of a password is given by how hard it is to break, be it by brute force, dictionary, or guessing. The first tips in this recipe are meant to make passwords harder to brute-force by establishing a minimum length and using mixed character sets, harder to guess by eliminating the more intuitive choices (user name, most common passwords, company name); and harder to break if leaked, by using strong hashing or encryption when storing them.
As for session management: the expiration times, uniqueness, and strength of session ID (already implemented in the language's in-built mechanisms), and security in cookie settings are the key considerations.
The most important aspect when talking about authentication security probably, is that no security configuration or control or strong password is secure enough if it can be intercepted and read through a man in the middle attack; so, the use of a properly configured encrypted communication channel, such as TLS, is vital to keep our users' authentication data secure.
18.227.72.15