session
- session hijacking
- anti-pattern: session id in plain text
- ref: cross site scripting (XSS)
- session fixation (hacker creates valid session, and tries to get the target to use it)
- Anti-pattern: authenticating an existing session
- pattern: generate a new session ID when (re)authenticating
- session prediction
- Anti-pattern: session IDs based on user’s own data
- Anti-pattern: sequential session ids
just because a session looks random, does not mean it is random
guidelines for handling session IDs
pattern: long session ID with lots of entropy
pattern: session id from random with cryptographic properties
anti-pattern: session id from language’s built-in random function
pattern: protect against XSS
pattern: generate a new session ID when (re)authenticating
pattern: use up-to-date platform session management
pattern: use ONLY cookies to exchange session IDs (disable all other ways)
anti-pattern: accept session IDs via query parameters
exercise: write a cURL command for a TLS-secured call to a development server using a self-signed certificate
Antipattern Metaphor: pie-crust defense
You had to authenticate to cross a boundary,
but services inside the "pie" could call each other freely
Authentication options:
- first-party (build it yourself)
- third-party (eg. Kerberos, NTLM, Oauth)
(src: