The importance of Broken Authentication and Session Management
Broken authentication is a website vulnerability an attacker can exploit either to authenticate him or sidestep the authentication method being used by the website.
A machine or website uses authentication to make sure that the person trying to get access is a legitimate user. The website expects a user to enter valid username/email and password.
The information entered by the user is compared to the credentials stored in the database.
The user with valid credentials is allowed to access data or services.
Strong and secure authentication is one of the most important components of a website.
An authenticated user can visit a number of web pages.
For example, after adding a smartphone to cart, the user might visit another page to shop smartphone accessories.
The complete information related to smartphone and accessories (price, payment method, discount etc.) should be retrievable from the shopping cart or from any other webpage.
In other words, a session is used to transfer information from one webpage to another webpage.
In programming, a session is used to store temporary information (username, password, products added to shopping cart etc) in session variables.
A session is created when a user logs in and destroyed when the user logs out.
A session is also invalidated automatically when it remains inactive for a specific period of time.
An attacker can use exposed session ID to launch a ‘Session Hijacking’ attack and steal information of a legitimate user.
Importance of Website Authentication
Even a simple website collects information from user and stores it in the database.
You do remember the number of forms you fill out while creating an account on the website of your bank.
Banking web applications, e-commerce stores, government websites for filing tax returns and many other websites store a lot of sensitive information such as passwords, credit card details, transaction details etc.
Cloud adoption has become very affordable, mobility is increased and people are posting and sharing a huge amount of data on social media websites.
You will not appreciate if the website allows someone else to get access to your information.
That’s why Facebook has received a massive backlash worldwide. It failed to protect users’ data.
Authentication serves one more important purpose of blocking unauthorized users from getting access to the website, machine or any other system.
There are different types of authentication methods providing different levels of security.
Password-based authentication is the most used and the simplest method for authenticating a user.
The website, computer or any other system a user is trying to access will prompt a login form.
If the username and password provided by the user match with the username and password stored in the database, the user is granted the access otherwise asked to enter valid credentials or recover the password or create an account.
Creating a complicated yet easy to remember password:
Your name: Emilia Peterson
Reverse it: nosretep ailime
Replace it: n05r3t39 a111m3
|o or O||0|
|s or S||5|
|e or E||3|
|p or P||9|
|i or I||1|
|l or L||1|
Email based authentication
This is a password free method for authenticating a user.
Usually, this method is utilized to recover a forgotten password.
However, in order to adopt no-password authentication, a lot of websites send an authentication link to the inbox to verify the authenticity of the user.
2FA/multi-factor authentication provides an additional layer of security.
Apart from username and password, a user is validated by expecting something only and only the user knows.
The website sends some information to the user and that information is valid for a short span of time only. If the user sends the same information back to the website then he is an authenticated user.
The OTP or some other code you receive after entering username and password is an example of 2FA/Multi-Factor Authentication.
This form of authentication relies on unique characteristics of body and compares these characteristics with verifiable and recognizable data stored in the database.
Fingerprints, face, handwriting, hand geometry, retina, iris, vein and voice are the unique characteristics used in biometric authentication to identify a legitimate user.
This is the most secure authentication but hardly used in web applications.
What is Broken Authentication and Session Management?
Any vulnerability or flaw introduced to a website due to an erroneous implementation of authentication can cause broken authentication.
A website is prone to broken authentication and session management if:
- Username and password stored in the database are not protected.
- Authentication credentials are predictable.
- Session ID and authentication credentials are not sent in encrypted form.
- URL (in URL rewriting) contains session ID.
- Session ID is prone to session fixation
- Session is not invalidated after logout.
- Session timeout is not set properly.
Preventing Broken Authentication and Session Management
Implementing hashing and encryption is pretty useful in protecting username, password or any other credential.
Programmers should make sure that session ID should not be exposed while using URL rewriting.
Proper session ID timeout and invalidating session ID after logout eliminates the risk of broken authentication and session management.
Recreating session ID after successful login is another good practice.
A website should deploy some strong encryption algorithm to send the username, password and other credential details in an unreadable format.
A non-guessable password is at least 8 characters long.
The website should enforce complex password that is a combination of numbers, upper case letters, lower case letters and special characters.
Changing password every 6 months is a good practice. And, a website should not accept a reused password when the user resets the password.
Some authentication failure messages can be of a great use for a hacker or attacker.
A website prompting messages such as ‘Invalid Username’ or ‘Invalid Email’ encourages the attacker to try with some other username/email.
Prompting authentication failure responses such as ‘Invalid Username and/or Password’ can curtail attacker’s attempts to guess username or password.
A website should disable login if more than a specific number of login attempts fail.
User’s data is very valuable both for the user and the website and therefore it should be collected and managed very carefully.