Using cookieless authentication often allows an attacker to hijack user sessions. Once the attacker has hijacked a user's session, they can do anything that the user is allowed to do by the application. This usually allows the attacker to access and modify the user's data. If the attacker hijacks an administrator's session, they might be able to take full control of the application.
To prevent this problem, use platform-provided session management, use TLS to protect authentication, set HTTP-Only and Secure flags on session cookies, and send session cookies only over TLS.
Use platform-provided session management:
Use TLS for authentication:
Set HTTP-Only and Secure flags on session cookies:
Send session cookies only over TLS:
To check for adequate protection against this vulnerability, ensure that platform-provided session management is used, TLS is used for authentication, HTTP-Only and Secure flags are set on session cookies, and session cookies are sent only over TLS.
Platform-provided session management is used:
TLS is used for authentication:
HTTP-Only and Secure flags are set on session cookies:
Session cookies are sent only over TLS:
Computer Based Training Links
Use the following Computer Based Training course(s) for more background information about this type of vulnerabilities.
OWASP Top Threats & Mitigations
This course examines in depth the vulnerabilities, threats, and mitigations described in the OWASP Top 10 2013. Upon completion of this class, participants will be able to identify and mitigate the greatest threats that web application developers face, including: Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Security Misconfiguration, Sensitive Data Exposure, Missing Function Level Access Control, Cross-Site Request Forgery (CSRF), Using Components with Known Vulnerabilities, and Unvalidated Redirects and Forwards.
Creating Secure ASP.NET Code
This in-depth course examines the development of secure Web applications in ASP.Net. It provides developers and testers with an overview of common Web application vulnerabilities and a set of nine best practices and techniques to follow in order to avoid them. Throughout the course, students are provided with interactive games and simulations designed to reinforce the secure design and coding concepts that were introduced.
Valid login credentials and enrollment in the course itself are required to access Team Professor content. If you need login credentials, please contact email@example.com for help.