Authentication and Session Management Flaws
Authentication and session management are the parts of a website that handle a visitor's interaction with a website, such as logging in, saving preferences, or timing out due to inactivity. If any authentication or session management functions have a flaw, individual accounts or possibly the entire user group could be at risk for compromise.
Quite a few functions are related to authentication and session management, so vulnerabilities range from showing session IDs in the URL to transmitting sensitive information without an SSL. Depending on the flaw, malicious users can exploit vulnerabilities to take over sessions or impersonate another user.
For example: Amy logs in to one of her accounts at the library. After she's done, she simply closes the window and doesn't click Log Out.
The next day, another person opens the browser and visits the same website. The website does not have auto-timeouts set, so Amy's account, with all of her contact information, is still logged in.
If your website uses authentication or session management, use strong access controls that follow a strict set of requirements to avoid flaws. See OWASP's Application Security Verification Standard (ASVS) for more information.
To learn more about broken authentication and other common vulnerabilities, see the Open Web Application Security Project's Top 10 Most Critical Web Application Security Risks.
