Embed Size (px)
Citation preview
Broken Authentication &
Session Management
What is it ?
• Bad implementation of authentication and session management.
• If an attacker can get your session ID, then they can steal your session
• Could happen over unsafe medium.
• Could happen if an attacker can get your password.
Broken Authentication and Session Management - Vulnerabilities
• Password not hashed.
• Weak Password recovery method .
• Exposed Session-Ids’.
• Long session timeout.
• Improper rotation of session-ids’ after logout.
• Sending session-ids’ , passwords over unencrypted connections.
Session Fixation Attack
Broken Authentication and Session Management - Prevention
• Always use https for any authenticated URLs.
• If storing credentials in a database, store them encrypted or hashed.
• Set session timeouts to as low as possible to reduce the risk of exposure to someone who forgets to log out at a public terminal.
• Try to store SessionIds in cookies
• Invalidate session properly
Thank You
![[MS-SIP]: Session Initiation Protocol Extensions... · [MS-SIP]: Session Initiation Protocol Extensions ... authentication](https://img.dokumen.tips/doc/110x75/5e7f89e8a567b8696846999a/ms-sip-session-initiation-protocol-extensions-ms-sip-session-initiation.jpg)
![LIGHTWEIGHT%SOURCE%AUTHENTICATION%&% …attacker wishes. Yet, some future Internet architecture proposals (Nebula [2], Pathlets [12], SCION [40], XIA [14]) relieve this pain point](https://img.dokumen.tips/doc/110x75/60525706231ff62184187162/lightweightsourceauthentication-attacker-wishes-yet-some-future-internet.jpg)
