how do Broken Authentication and Session Management

Posted by Cpatil1000 under ASP.NET on 8/23/2016 | Points: 10 | Views : 166 | Status : [Member] | Replies : 0

Finaly our project has been lounch in nic. Before nic louch our software has been
audited by them. So they have required pre cookies and post cookies. We have tried it
but problem is if we tried to change cookies name then it is affected our session value
so we are not getting user name and information to display who name and login information
per page when, he is opening for data entry or view..

So how solved following solution....

The following solution can be implemented for fixing the session fixation flaw & Improper Cache control:

I. Follow a secure session management lifecycle which includes proper initialization, maintenance, authentication and termination of the session token.

II. Application should generate different tokens for pre authentication and post authentication. The first time a user visits this web site, he/she is given a
session token by the web site. Now when the user attempts to login, the same session token is used while processing this request. After the login process,
if the web site doesn’t
allocate a fresh session token to the user, the user is prone to session fixation attack. So it is mandatory for the web site to provide a
unique, random and fresh session token after the user has authenticated to the web site.

III. Do not allow the login process to start from an unencrypted page. Always start the login process from a second, encrypted page with a fresh
or new session token to prevent credential or session stealing, phishing attacks and session fixation attacks.

IV. Consider regenerating a new session upon successful authentication or privilege level change.

V. Only use the inbuilt session management mechanism. Do not write or use secondary session handlers under any circumstances.

VI. Do not accept new, preset or invalid session identifiers from the URL or in the request. This is called a session fixation attack.

VII. The session tokens given to the user before the authentication process should be different from session tokens that are given to the user after
the user has authenticated.


(No response found.)

Login to post response