Security vulnerabilities are often caused by errors in the user and session management of web applications. For example, due to errors in authentication, inadequate checking routines during the password reset process, or by incomplete checks of the respective permissions when executing actions within the application (accessing data, making changes, deleting records). Therefore, we should keep an eye on the user and their permissions within a session in our applications at all times. This applies in particular to the checking of authorizations when executing CRUD operations (Create, Read, Update and Delete).
5.1 What are the threats facing us and our customers?
|Hijacking and Misuse of User Accounts and Privileges
If user sessions are not sufficiently secured or cookies containing session information (e.g., SessionID) may be viewed by strangers, attackers may be able to access our applications and our users‘ data.
Likewise, errors in the implementation of password reset functions („password forgotten“) often lead to user accounts being hijacked by strangers. We should protect our customers from such threats by implementing secure procedures.
|Unauthorized Access to Data and Functions
If authorization checks are not implemented completely and robustly in our applications, data may be manipulated or deleted by unauthorized users. Unauthorized access to data or functions within our applications directly threatens the confidentiality, integrity, and availability of our users‘ data, and can also pose a threat to our IT infrastructure.
5.2 What should we consider during development?
|Use of Standard Methods for Authentication , Login and Logout
For the implementation of user login and logout capabilities, we should take advantage of the standard methods provided by developer frameworks to implement the most secure authentication possible.
The proprietary development of login and logout functions should be avoided whenever possible and, if necessary, a security review should be performed by a second developer.
|Implementation of Authorization Checks for Access to Data/Functions
When implementing CRUD operations (functions for creating, reading, changing and deleting data) in our applications, we should always provide mandatory authorization checks. At the beginning of each CRUD operation, it is to be checked whether the currently logged on user is authorized to execute the respective operation on the affected data record.
The CRUD methods created by frameworks using scaffolding usually contain such authorization tests and can be used as resources during development.
5.3 Further Information
|Best Practices (=pattern) for secure session management: