Mitigating Broken Authentication
Launch
On screen text
DES 223
Mitigating Broken Authentication
Page 1 of 13
�Mitigating Broken Authentication
Course Overview and Objectives
Narration
In this course, you will learn about broken authentication and session management vulnerabilities, session
lifecycle, and the best practices to mitigate broken authentication.
After you have completed this course, you will be able to:
Understand broken authentication and session management vulnerabilities
Describe best practices used to mitigate broken authentication vulnerabilities
On screen text
Course Overview and Objectives
After you have completed this course, you will be able to:
• Understand broken authentication and session management vulnerabilities
• Describe best practices used to mitigate broken authentication vulnerabilities
Page 2 of 13
�Mitigating Broken Authentication
Broken Authentication
Narration
Broken authentication and session management vulnerabilities are those in which an attacker exploits flaws to
impersonate other users either through session hijacking, session manipulation, or credential discovery.
These flaws are usually the result of poor session control and isolation, weak password recovery and account
management functions, and inadequately secured transmission or storage of user credentials.
Examples of broken authentication and session management include forgotten password functionality, relying
on an IP address for a session, and having inadequate timeouts for inactive sessions.
Let's see an example of forgotten password functionality to understand this threat better. Many Web
applications include functionality for forgotten passwords.
Users submit their usernames to the application, which then directs them to a password recovery page.
Recovery methods include providing answers to secret questions to obtain a forgotten password, or submitting a
user name or email address to receive temporary password information that can be used to reset the password.
Attackers often exploit this functionality to identify valid user names for the application.
Developers often forget that if an attacker can retrieve a user name, the puzzle is half solved. An attacker cannot
do much by just knowing a password, but can potentially achieve a lot by knowing the user name.
On screen text
Broken Authentication
Page 3 of 13
�Mitigating Broken Authentication
The Session Lifecycle
Narration
User session management is the process of authenticating, authorizing, and managing users from login until
session termination. Although the application initially authenticates a user based on username, password, and in
some cases a second factor of authentication, all subsequent session authentication relies on a unique session
identifier.
Because this single session identifier—or token—is equivalent to the user’s credentials for the duration of the
session, it is critical to take all precautions necessary to protect it from attack. The diagram illustrates a typical
session lifecycle.
On screen text
The Session Lifecycle
Page 4 of 13
�Mitigating Broken Authentication
Knowledge Check
On screen text
Knowledge Check
While an application initially authenticates a user based on username, password, and second-factor
authentication, all subsequent authentications rely on:
• Username and password only
• A unique session identifier
• Second-factor authentication only
• A reusable session identifier
Page 5 of 13
�Mitigating Broken Authentication
Broken Authentication Best Practices
Narration
User authentication and session management have a long history in information technology. Account
compromise is perhaps the oldest security threat we face. Through years of developing new techniques and
learning from past mistakes, the industry has developed a long list of best practices.
Some rules are simple and seemingly obvious. However, due to the compounding nature of security threats, it is
important to understand and strictly follow even the most basic of these rules.
To better understand how to make secure authentication and session management an integral part of any web
application, let’s review best practices for user logins, password and password policies, session tokens, cookie
security, and cryptography.
On screen text
Broken Authentication Best Practices
Page 6 of 13
�Mitigating Broken Authentication
Broken Authentication Best Practices
Narration
When working with user logins, always use TLS-encrypted forms for user login. Avoid pop-up windows that do
not show the address bar and TLS validation icon. Validate form input to help users avoid mistakes and never use
hidden form fields for storing authentication-related information. You should both consider countermeasures for
handling brute-force attacks and credential harvesting, as well as consider supporting third-party authentication
providers such as Google™ or Facebook.
Use generic error messages, as too much information can be used by attackers.
Finally, avoid using the remember me functionality with high-value applications, and always provide users with a
logout button to manually terminate a session.
On screen text
Broken Authentication Best Practices
Page 7 of 13
�Mitigating Broken Authentication
Broken Authentication Best Practices
Narration
A set of strong password policies will help secure your users’ passwords and data. Implement strong yet usable
and practical password complexity requirements, including fixed but reasonable expiration dates. Always notify
users of password changes via email or SMS, but never send the actual passwords. Always ask for the previous
password when setting a new password, to ensure that not just anybody can reset a user’s password. Expiring all
current sessions after changing passwords can help with this. Do not automatically assign temporary passwords.
Finally, provide two-factor authentication features for sensitive applications. Hardware devices, software tokens,
or SMS one-time-passwords greatly enhance account security.
On screen text
Broken Authentication Best Practices
Page 8 of 13
�Mitigating Broken Authentication
Broken Authentication Best Practices
Narration
Session tokens are another potential avenue for attack, and should be secured. Store session identifiers in a
generic variable that does not allow fingerprinting or profiling. Ensure that the session ID is sufficiently long and
is created using strong random number generators, as this makes it harder to brute force or simply guess for an
attacker. The session ID should only contain a single session identifier and never contain any other identifying
information. Always store session identifiers in cookies and never rely on sending session IDs via URL
parameters, hidden form fields, or custom HTTP headers. Generate new session identifiers after user login,
immediately after privilege escalation or role change, or after sensitive operations such as password changes.
Never accept user-provided session identifiers if the application did not generate that ID for the user. Never
transmit session-related content over non-TLS connections, including creative assets such as style sheets and
graphics. Always set both absolute and relative time limits on session identifiers to ensure proper session
expiration. Lastly, use well-tested framework or built-in platform session management features instead of
implementing your own.
On screen text
Broken Authentication Best Practices
Page 9 of 13
�Mitigating Broken Authentication
Broken Authentication Best Practices
Narration
Only store session identifiers in session cookies. Never store session-related values in persistent cookies. Always
set the Secure cookie attribute to ensure that the application always transmits cookies over secure connections.
Always set the HttpOnly cookie attribute to ensure that scripts cannot access cookies via the DOM
document.cookie object.
On screen text
Broken Authentication Best Practices
Page 10 of 13
�Mitigating Broken Authentication
Broken Authentication Best Practices
Narration
Always send user credentials and session tokens over secure encrypted channels, even for private internal
communications. Although TLS content is encrypted, the URL itself is not, and it should never reveal sensitive
information. Always use certificates signed by an organizational certificate authority for private intranet
applications and by a recognized and trusted certificate authority for public applications. Never use self-signed
certificates, even for internal applications. Do not mix secure and non-secure content in secure areas of the
application. Familiarize yourself with regulations and standards required for your organization and industry.
On screen text
Broken Authentication Best Practices
Page 11 of 13
�Mitigating Broken Authentication
Course Summary
Narration
In this course, you learned about broken authentication and session management vulnerabilities, session
lifecycle, and the best practices to mitigate broken authentication.
On screen text
Course Summary
In this course, you learned about broken authentication and session management vulnerabilities, session
lifecycle, and the best practices to mitigate broken authentication.
Page 12 of 13
�Mitigating Broken Authentication
Thank You
On screen text
Thank You
This concludes the Mitigating Broken Authentication course. Thank you.
Click the “Take the Exam” button to proceed to the exam.
Page 13 of 13
