Authentication and Authorization on the Web (Web Security Topics) by Nigel Chapman & Jenny Chapman
Author:Nigel Chapman & Jenny Chapman [Chapman, Nigel]
Language: eng
Format: epub, mobi, azw3
Published: 2012-10-15T21:00:00+00:00
Key Points
When access to a Web application is controlled by data in a session, a hacker may attempt to break in by forging a valid session, or by hijacking a genuine user’s session.
Session ids should be as long as possible.
Avoid embedding email addresses, IP addresses, the time of day or a linearly incremented sequence number in a session id.
Long, unpredictable session ids that don’t encode any guessable information are resistant to brute-force attacks and forgery.
If a session id is a cryptographic hash of a random quantity, used solely to look up the session data in the database, it is very difficult for an attacker to create a valid fake session.
If session ids are stored in cookies, copying a session id is equivalent to copying a cookie.
Wireless networks – including domestic networks – which are not properly secured, may be vulnerable to eavesdropping.
More advanced eavesdropping techniques are sometimes used against wired networks and routers, especially by insiders.
An eavesdropper who obtains the value of a current session id from a cookie may masquerade as a logged-in user and access restricted resources in their name.
Sending cookies over a secure connection using HTTPS prevents their being intercepted, but may cause an unacceptable overhead.
Cookies can be stolen from shared devices if browsers are not cleaned up when users leave.
To minimize the risk of cookies being stolen, sessions should be expired on the server. Care must be taken to ensure that this does not result in unacceptable loss of data from POST requests.
When considering what data to store in a cookie you should take the most pessimistic view and treat a cookie as if it were readable by anyone.
Storing certain types of data (e.g. credit balances) in cookies may allow replay attacks, even if a hash is used.
Passing session ids in query strings is dangerous, since it allows sessions to be hijacked by way of the Referer header of any request from a link planted in the site.
Download
Authentication and Authorization on the Web (Web Security Topics) by Nigel Chapman & Jenny Chapman.mobi
Authentication and Authorization on the Web (Web Security Topics) by Nigel Chapman & Jenny Chapman.azw3
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.
Hello! Python by Anthony Briggs(9921)
The Mikado Method by Ola Ellnestam Daniel Brolund(9782)
Dependency Injection in .NET by Mark Seemann(9343)
Sass and Compass in Action by Wynn Netherland Nathan Weizenbaum Chris Eppstein Brandon Mathis(7786)
The Well-Grounded Java Developer by Benjamin J. Evans Martijn Verburg(7563)
Svelte with Test-Driven Development by Daniel Irvine(7211)
Test-Driven Development with PHP 8 by Rainier Sarabia(6940)
Layered Design for Ruby on Rails Applications by Dementyev Vladimir;(6803)
Secrets of the JavaScript Ninja by John Resig & Bear Bibeault(6537)
Secrets of the JavaScript Ninja by John Resig Bear Bibeault(6421)
Web Development with Django by Ben Shaw Saurabh Badhwar(6265)
React Application Architecture for Production by Alan Alickovic(5988)
Jquery UI in Action : Master the concepts Of Jquery UI: A Step By Step Approach by ANMOL GOYAL(5810)
Kotlin in Action by Dmitry Jemerov(5070)
Audition by Ryu Murakami(4586)
Software Architecture for Web Developers by Mihaela Roxana Ghidersa(4478)
Accelerating Server-Side Development with Fastify by Manuel Spigolon Maksim Sinik & Matteo Collina(4324)
Hands-On Full-Stack Web Development with GraphQL and React by Sebastian Grebe(4321)
Functional Programming in JavaScript by Mantyla Dan(4040)
