Authenticating a site’s or app’s logged in users and managing their interactions is another critical area vulnerable to attacks from would-be intruders. Sites and apps that require logging in and/or store user data must take precautions to insure that users are who they claim to be, that there are no lapses in how user credentials (user names and passwords) are handled and that secure data remains protected at all times. The main concerns of authentication & session management include:
- Maintaining a trusted authentication system and insuring that all applications follow a common means of authenticating users and their privileges.
- Defining and maintaining high standards for creating, storing and resetting user credentials.
- Implementing control procedures to manage user sessions including the issuing of alerts of failed log in and the enforcement of timeouts.
- Insuring the security of data transmission by using Transport Layer Security (TLS) to guard against unauthorized access.
- Managing the usage of user and admin accounts.
Developers should pay particular attention to:
- Never write their own authentication and session routines; rather they should use existing, well-tested routines.
- Never include any credentials in an application’s source code.
- Take steps to prevent traversal attacks.
- Insure the removal of any ‘demo’ code.
- Use http ‘post’ rather than ‘get’.
- Restrict users from performing back browser actions when their session is over.
- And checked for vulnerabilities by doing both code reviews and penetration tests.
By taking a proactive approach that follows established guidelines, developers and site administrators can insure that authentication, password control and transmission systems work in harmony to maintain the security of their apps and sites.
For more information see:
Authentication Cheat Sheet
Guide to Authentication
Forgot Password Cheat Sheet
Transport Layer Protection Cheat Sheet