Cyber Security Expo
 
Authentication and Session Management on the Web by Paul Johnston on 16/06/05

This paper looks at the security concerns specific to websites that have a secure area where users can login. For much of the paper we use the example of Acme Enterprises, a fictitious company that sells generic goods by mail order. The company already has a basic website that provides a catalogue of its products. It is now looking to expand this to include an area where customers can manage their accounts. The security challenge is to keep the account information confidential, to prevent unauthorized modification and to ensure the account management system is always available for use. This is the fundamental triangle of information security – confidentiality, integrity and availability.

This paper discusses how these requirements are met, primarily looking at how users are authenticated and login sessions maintained. We start by looking at the existing security measures for the basic website. Then we look at the various options for authenticating users in general, concluding that passwords are the only viable option. We look at options for implementing password authentication on the Web, and come to the “session ID cookie” model used by many websites. Several attacks against such websites are demonstrated and various mitigation options are evaluated. We conclude with a summary of mitigations and a discussion of what is “state of the art” in this area.

This document is in PDF format. To view it click here.

Rate this article

All images, content & text (unless other ownership applies) are © copyrighted 2000 -  , Infosecwriters.com. All rights reserved. Comments are property of the respective posters.