Following is the checklist to find out the flaws in user credentials and session IDs
- Check security aspects of all the stored credentials using hashing or encryption
- Check if the credentials can be guessed or overwritten
- Check if the session iDs are at all vulnerable to attacks such as session fixation etc.
- Check whether the session IDs are exposed in the URL
- Check whether the passwords, session IDs and other credentials are sent via TLS connections or not
- Check if SSL is used by the login page
- Check if the audit is logged with who, when, from, where and what data
- Check if inbuilt session management is used or not
- Check whether the new, preset or invalid session ids are rejected
- Check the security levels of password reset and Question and answer clues
Guidelines for Secured Session Management
Guidelines
Password Strength
- Ensure that the password is of a enough length and complexity, using combinations of alphabet, numbers and non alphanumeric characters
Password Storage
- It is always better to store the passwords either in hashed or encrypted format to avoid exposure
- Even decryption keys should be strongly protected
Password Use
- Users should be restricted by number of login attempts
- Avoid the display of the passwords provided during failed login attempts as there are chances of exploitation
- Ensure that the user is provided with all the login details along with date and time
Browser Caching
- Make sure that all the authentication pages are marked with no cache tag in order to prevent usage of previously typed user credentials
- Latest browsers have feature called AUTOCOMPLETE=OFF flag to prevent credentials and sensitive information in autocomplete caches