Broken Authentication and Session Management

What is it

Authentication (if you are who you say you are) and Session management (to remember user state as he/she navigates the site) are important features of any web application and are considered absolutely essential for its proper functioning.

If these are broken or non-existent, attackers can gain full access to the application and its data.

Authentication and Session management are considered broken if –

  1. One signs off and can still access the page that he/she used to access when signed in;
  2. Password recovery and change controls can easily be bypassed;
  3. Passwords are not stored / secured properly
  4. Session IDs are not protected and validated
  5. The system assumes too much (e.g., user is capable of ensuring security of his data by choosing better passwords)

How serious is it

Due to market pressures and complexities inherent in the application, many a times designing and developing a robust authentication and session management system takes a back seat and pushing the next working release (working ONLY in optimal scenario) takes paramount importance.

The impact of someone gaining access to your application / system through a broken authentication and session management may result in Removing your online identity (if you have the habit of linking multiple accounts using email IDs as data storage, using information for one service provider as recovery information for another etc.)

Gain access to the data contained in your system (loss of Confidentiality) Possibility of loss of data (loss of Availability) Possibility of modifying the data (loss of Integrity) as user accounts usually have privileges on the database. Possibility of using your online credentials to launch an attack on your friends, family or other contacts.

The amount of data an attacker can retrieve depends on multiple factors like his creative skills, system design and vrabilities in the application’s authentication and session management system.

How to prevent
Appropriate Design and Architectural Patterns

Use an architecture pattern that avoids trust relationships between components as much as possible. Assuming trust relationships between components is a sure shot way of weakening the authentication system. Compromising one component can allow the attacker to compromise all other components that have an implicit trust relationship with it.

Use Threat Models

Threat modeling is a systematic way to identify weaknesses in software design. It should be utilized while designing any software system in order to detect any design weaknesses.

Proper authentication and session management controls
This could include-

  • Password restrictions (Ex. minimum password length, strength / complexity, system lockout after # of failed logon attempts etc.)
  • Storing passwords after they are encrypted
  • Protect sessions IDs
  • Not reusing session IDs
  • No browser caching