This paper looks at the security concerns specific to websites that have a secure area where users can login. For much of the paper we use the example of Acme Enterprises, a fictitious company that sells generic goods by mail order. The company already has a basic website that provides a catalogue of its products. It is now looking to expand this to include an area where customers can manage their
accounts. The security challenge is to keep the account information confidential, to prevent unauthorized modification and to ensure the account management system is always available for use. This is the fundamental triangle of information security – confidentiality, integrity and availability.
This paper discusses how these requirements are met, primarily looking at how users are authenticated and login sessions maintained. We start by looking at the existing security measures for the basic website. Then we look at the various options
for authenticating users in general, concluding that passwords are the only viable option. We look at options for implementing password authentication on the Web, and come to the “session ID cookie” model used by many websites. Several attacks against such websites are demonstrated and various mitigation options are evaluated. We conclude with a summary of mitigations and a discussion of what is
“state of the art” in this area.
This document is in PDF format. To view it click here.