Broken authentication and session management.

Techniques to improve authentication and session management are:

• When storing passwords in a database, encrypt them.
• Enforce strong passwords.
• Avoid showing session IDs in URLs; don't allow URL rewriting.
• Configure a session timeout in web.xml and/or the server.

  <?xml version="1.0" encoding="UTF-8"?>
  <web-app>
  
    ...
  
    <session-config>
      <session-timeout>30</session-timeout>
    </session-config>
  
    ...
  
  </web-app>

• Provide a link for users to log out.
• Only send passwords and session IDs over an encrypted link e.g. SSL/https.