Following is the checklist to find out the flaws in user credentials and session IDs

  • Check security aspects of all the stored credentials using hashing or encryption
  • Check if the credentials can be guessed or overwritten
  • Check if the session iDs are at all vulnerable to attacks such as session fixation etc.
  • Check whether the session IDs are exposed in the URL
  • Check whether the passwords, session IDs and other credentials are sent via TLS connections or not
  • Check if SSL is used by the login page
  • Check if the audit is logged with who, when, from, where and what data
  • Check if inbuilt session management is used or not
  • Check whether the new, preset or invalid session ids are rejected
  • Check the security levels of password reset and Question and answer clues

Guidelines for Secured Session Management

Guidelines

Password Strength

  • Ensure that the password is of a enough length and complexity, using combinations of alphabet, numbers and non alphanumeric characters

Password Storage

  • It is always better to store the passwords either in hashed or encrypted format to avoid exposure
  • Even decryption keys should be strongly protected

Password Use

  • Users should be restricted by number of login attempts
  • Avoid the display of the passwords provided during failed login attempts as there are chances of exploitation
  • Ensure that the user is provided with all the login details along with date and time

Browser Caching

  • Make sure that all the authentication pages are marked with no cache tag in order to prevent usage of previously typed user credentials
  • Latest browsers have feature called AUTOCOMPLETE=OFF flag to prevent credentials and sensitive information in autocomplete caches