Updated: Oct 22, 2021
Broken authentication refers to a weakness in the design or implementation of access controls inherent in an online platform or application.
What scenarios can cause broken authentication?
Some common risk factors contributing to broken authentication linked to either poor session management or poor credential management are:
Predictable login credentials
User authentication credentials that are not protected when stored
Session IDs exposed in the URL (e.g., URL rewriting)
Session IDs vulnerable to session fixation attacks
Session value that does not time out or get invalidated after logout
Session IDs that are not rotated after successful login
Passwords, session IDs, and other credentials sent over unencrypted connections
How do you resolve broken authentication?
The OWASP broken authentication recommendations state that a session ID issued to a logged-in user is temporarily equivalent to the user’s original login credentials. If misconfigured, session IDs can easily be used to impersonate the user on the application, therefore, must be carefully managed to prevent any weaknesses or loopholes from being manipulated by attackers.
If you like this blog post, find more content in our Glossary.