One of the most vulnerable areas of web applications is the authentication and session management. Weak authentication and session management enlaces hackers to steal passwords, session tokens, encryption keys and even assume the identity of legitimate users. Session IDs are frequently exposed without the SSL or TSL protection or revealed through the rewriting of URLs. The attackers could be external hackers or insiders who want to use other user’s accounts to perform malicious acts.
The problem is caused mainly because of the inherent difficulty in developing custom authentication and session management schemes in applications. Often, web applications develop custom schemes to manage logouts, password management, timeouts, secret questions and account updates. Frequently, these schemes have serious flaws that a hacker can take advantage of. Hackers usually target privileged accounts and once they gain access, are indistinguishable from legitimate owners of those accounts.
In order to protect against authentication and session management vulnerabilities, ensure the credentials are always protected through hashing or encryption when you store the credentials. Strengthen the account management functions such as account creation and password change and recovery, to prevent the guessing or overwriting of credentials. You must also ensure that the web application does not expose the URL through URL rewriting. Sessions IDs should have a time out feature and you must rotate session Ds after successful logins. For example, once a user closes a browser instead clicking on the logout button, the session should be alive only for a specific amount of time before automatically logging the user off. Otherwise, someone who uses the same browser will find that the user is till authenticated. Send passwords, session IDs and other credentials only over secure TLS connections.
One of the best things you can do to protect yourself is to provide a standard set of strong authentications and session management controls to your developers, so they don’t have to reinvent the wheels each time. The standard should ideally meet the authentication and session management requirements specified in OWASP’s Application Security Verification Standard.