This document focuses on showing the Identification and Authentication Failures that can create vulnerabilities in your application.
Confirmation of the user's identity, authentication, and session management is critical to protect against authentication-related attacks. Below you can find the most frequent ones according to OWASP and ways to prevent them.
Read more at: Identification and Authentication Failures - OWASP Documentation
Authentication Cheat Sheet
Implement proper password strength controls
Implement secure password recovery mechanism
Authentication and error messages
Session Management Cheat Sheet
-
GeneXus uses the session management mechanisms provided by the base language. Also, it provides cipher mechanisms to Encrypt URL parameters for the objects exposed, and implements cipher mechanisms for the AJAX queries and responses.
-
The session with the AJAX authentication key expires on a configurable time-lapse.
-
Verify that all objects accessible by HTTP/HTTPS receive ciphered parameters.
-
If GeneXus Evolution 1 is used, check the Ajax requests security property is set to High.
-
If GeneXus Evolution 2 is used, check the Javascript Debug Mode property is set to No.
-
Configure the On session timeout property properly.
-
Implement some re-authentication mechanisms to use before sensitive operations.
-
Avoid the default names of the cookies used for session identifiers.
-
Avoid short session identifiers.
-
Use cookies that have the attributes Secure, HTTP-Only, SameSite, Domain, and Path configured.
-
Destroy the web session within the logout process.
-
Set the expiration time for the web session on the application server.
Since
GeneXus 18 upgrade 1.