Broken Authentication and Session Management

Broken Authentication and Session Management

User authentication and session management refer to a website verifying the user is who they say they are (authentication) and defining its interactions with that user (session) in a careful way so as to keep their interaction “walled off” so to speak from another user who might inadvertently or intentionally hijack the user’s identity.

This is obviously a necessary functionality, and implementing it soundly is critically important to keeping your business and customers’ information and accounts secure from accidental disruption or malicious cyberattacks.

Web developers will often build their own authentication and session management solutions, but building these correctly can be very difficult. While it may seem simple enough, these are very complex functionalities and it can be all too easy to leave a user authentication system vulnerable to accidents or cyber-attacks.

As a result, these custom implementations will often have security flaws in areas such as user logout, password management, system timeouts, remember me functionalities, security questions, and account updates, among others. Discovering these flaws can also sometimes be difficult, since each proprietary solution is unique.

When authentication and session management functions related to a website or web-based application are not built securely, hackers can hijack passwords or session IDs or exploit other system vulnerabilities with other users’ credentials.

For a simple example, consider what would happen if a web developer built an eCommerce application that supports URL rewriting and puts session IDs in the URL. Then imagine an authenticated site user sends a link off your website to her friends to let them know about a special discount.

She uses the URL in her browser not realizing that she is also sending her friends the session IDs. Then one of her friends uses the link to make a purchase and inadvertently uses her session and credit card. The server doesn’t know it’s not her. It’s been instructed by the developer to define the session a certain way that’s led to broken authentication.

Related Posts