Web Application Security Basics- Authentication and Session Management (Part I)

Positive patterns:

  • When registering new users a username an email address and a password should be requested at the very minimum. Also the email address should be verified before enabling the account.
  • If multi factor authentication is implemented then the relevant data should be requested as well.
  • If the “forgot password” feature requires answering to security questions they should be setup during this phase of the application.

Preventing automated registration:

  • If there are concerns about attackers exploiting the automated registration for malicious purposes using a CAPCHA is encouraged. (But it should be kept in mind that there is a trade-off since this will reduce the usability of of your application)
  • An alternative to using CAPCHA is connection throttling; After a user is created, your application should enforce a time limit of 15 minutes before another user can be registered from the MAC address or IP address.
  • One technique that may help stave off automated registration abuse is to add an additional form component, such as a text field, and then hide it with CSS by positioning the component off-page or use some other method to make it invisible to users. A normal user would never see or be able to fill this “hidden” text field with any data.

The basic workflow of registering new users

Step 1: Anonymous session created on first hit

  • When a user first visits your website, J2EE automatically creates a session for them and sets a JSESSIONID cookie even before that user logs in. This can carries both good and bad effects as with anything.
  • The usefulness of this is that you may wish to track which products a user has looked at so you can provide targeted advertising or otherwise change and improve the user experience.
  • The danger is that an attacker can easily generate an active session ID at any time. This can be used to trick a user to become a victim of session fixation.

Step 2: Starting HTTPS and encryption in transit

Step 3: Processing and verifying credentials

Step 4 : Start the users authenticated session

Step 5: User actions

Step 6: Re-authentication for sensitive operations.

Step 7: Idle Timeout

Step 8: Absolute timeout

Step 9 : Logout

Attacks against authentication

Session Hijacking

Session fixation

Credential Security

Password Policy

Password Managers

Password Storage




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Kasun Balasooriya

Kasun Balasooriya

Lead Software Engineer @ IFS, Former intern at @ WSO2 inc.