Broken authentication and session management.
Techniques to improve authentication and session management are:
- When storing passwords in a database, encrypt them.
- Enforce strong passwords.
- Avoid showing session IDs in URLs; don't allow URL rewriting.
- Configure a session timeout in web.xml and/or the server.
<?xml version="1.0" encoding="UTF-8"?> <web-app> ... <session-config> <session-timeout>30</session-timeout> </session-config> ... </web-app>
- Provide a link for users to log out.
- Only send passwords and session IDs over an encrypted link e.g. SSL/https.