Broken Authentication & Session Management
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Broken Authentication &
Session Management
What is it ?
• Bad implementation of authentication and session management.
• If an attacker can get your session ID, then they can steal your session
• Could happen over unsafe medium.
• Could happen if an attacker can get your password.
Broken Authentication and Session Management - Vulnerabilities
• Password not hashed.
• Weak Password recovery method .
• Exposed Session-Ids’.
• Long session timeout.
• Improper rotation of session-ids’ after logout.
• Sending session-ids’ , passwords over unencrypted connections.
Session Fixation Attack
Broken Authentication and Session Management - Prevention
• Always use https for any authenticated URLs.
• If storing credentials in a database, store them encrypted or hashed.
• Set session timeouts to as low as possible to reduce the risk of exposure to someone who forgets to log out at a public terminal.
• Try to store SessionIds in cookies
• Invalidate session properly
Thank You
Related Documents
![LIGHTWEIGHT%SOURCE%AUTHENTICATION%&% …attacker wishes. Yet, some future Internet architecture proposals (Nebula [2], Pathlets [12], SCION [40], XIA [14]) relieve this pain point](https://static.cupdf.com/doc/110x72/60525706231ff62184187162/lightweightsourceauthentication-attacker-wishes-yet-some-future-internet.jpg)
