Authentication plays a very critical role in the security of web applications. Attackers will try to find passwords or session IDs and get access to the desired information. Here are a few ways to prevent an authentication hacking attack:
- Prevent an automated bruteĀ force attack by adding CAPTCHA. However, this is not perfect. Along with CAPTCHA, use account lock-down. This is a very effective deterrent against brute force attacks.
- Transfer session keys in cookies (do not show session IDs in the URL) and session keys should be unpredictable. Showing session IDs with the URL is a method that is normally used when cookies are blocked by client side or a fallback method.
- Keep the duration shorter for session IDs and ensure that they are rejected by the server after logout.
- Use two-factor authentication.
- During a session fixation, the attacker wants you to access your account with a Session ID of his choosing. An easy fix for this problem is to notĀ let a client choose session IDs.
- Do not leave your session active once you are done with your activity; ensure that you log out at the end of every session. Session logout also forces attackers to log out automatically.