Cookieless Authentication



Description

Most web applications use cookies to keep track of session state. Some applications use other mechanisms to keep track of authenticated sessions. These custom authentication schemes are usually vulnerable to session hijacking. An attacker exploiting cookieless authentication schemes might gain elevated privileges by tampering with user-mutable parameters, or might hijack an authenticated session by intercepting it using some form of a man-in-the-middle attack.

Impact

Using cookieless authentication often allows an attacker to hijack user sessions. Once the attacker has hijacked a user's session, they can do anything that the user is allowed to do by the application. This usually allows the attacker to access and modify the user's data. If the attacker hijacks an administrator's session, they might be able to take full control of the application.

Countermeasures

To prevent this problem, use platform-provided session management, use TLS to protect authentication, set HTTP-Only and Secure flags on session cookies, and send session cookies only over TLS.

Use platform-provided session management:

Use TLS for authentication:

Set HTTP-Only and Secure flags on session cookies:

Send session cookies only over TLS:

Application Check

To check for adequate protection against this vulnerability, ensure that platform-provided session management is used, TLS is used for authentication, HTTP-Only and Secure flags are set on session cookies, and session cookies are sent only over TLS.

Platform-provided session management is used:

TLS is used for authentication:

HTTP-Only and Secure flags are set on session cookies:

Session cookies are sent only over TLS:

Computer Based Training Links

Use the following Computer Based Training course(s) for more background information about this type of vulnerabilities.

OWASP Top Threats & Mitigations

This course examines in depth the vulnerabilities, threats, and mitigations described in the OWASP Top 10 2013. Upon completion of this class, participants will be able to identify and mitigate the greatest threats that web application developers face, including: Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Security Misconfiguration, Sensitive Data Exposure, Missing Function Level Access Control, Cross-Site Request Forgery (CSRF), Using Components with Known Vulnerabilities, and Unvalidated Redirects and Forwards.

DES 221 OWASP Top Threats & Mitigations

Creating Secure ASP.NET Code

This in-depth course examines the development of secure Web applications in ASP.Net. It provides developers and testers with an overview of common Web application vulnerabilities and a set of nine best practices and techniques to follow in order to avoid them. Throughout the course, students are provided with interactive games and simulations designed to reinforce the secure design and coding concepts that were introduced.

COD 311 Creating Secure ASP.NET Code

Valid login credentials and enrollment in the course itself are required to access Team Professor content. If you need login credentials, please contact support@securityinnovation.com for help.

!Have a comment about this article? Send our team an email.