interviews.dotnetthread.com

↑ Grab this Headline Animator

Thursday, April 8, 2010

Broken Authentication and Session Management

  • As HTTP is a state less protocol and we need to maintain the information to authenticate the users. Below are the precaution the we need to follow
    • We can use one of the below suggested methods for authentication
      • Forms Authentication
      • Windows Authentication
      • Passport
    • Change Password Controls
      • Always we need to ask for old password and new password.
      • If we are sending reset password links to users email we need to re-authenticate the user when he tries to change his email address.
    • All passwords should be stored in database in encrypted format. Use System.Security.Cryptography in .NET

Symmetric Algorithms

Asymmetric Algorithms

Hash Algorithms

DES (Data Encryption Standard)

DSA (Digital Signature Algorithm)

HMAC SHA1 (Hash-based Message Authentication Code using the SHA1 hash algorithm)

TripleDES (Triple Data Encryption Standard)

RSA

MAC Triple DES (Message Authentication Code using Triple DES)

Rijndael

MD5

RC2

SHA1, SHA256, SHA384, SHA512
(Secure Hash Algorithm using various hash sizes)

Source: http://msdn.microsoft.com/en-us/library/aa302378.aspx

    • Protection during transmit:
      • In order to protect the passwords or transaction session Ids it is suggested to use SSL. Try to use SSL for all login pages so that credentials will be protected.
      • SessionIds should not be transferred in querystrings.
      • Session Ids should be long and complex to decode.
      • Session Id can be formed by encrypting it along with IP Address, so that we can check for the IP Address and compare it in server side.
      • Session IDs must be changed when switching to SSL, authenticating, or other major transitions. Session IDs chosen by a user should never be accepted.
    • We need to make sure that session is timed out when user clicks on logout button.
    • Application timeout should be set properly so that sessions are abandoned when user closes the browser instead of clicking on logout.

Submit this story to DotNetKicks

No comments:

Post a Comment

Post your comments/questions/feedback for this Article.

 

Latest Articles