On the face of it, authentication is conceptually among the simplest of all the security mechanisms employed within web applications. In the typical case, a user supplies her username and password, and the application must verify that these items are correct. If so, it lets the user in. If not, it does not.

Authentication also lies at the heart of an application's protection against malicious attack. It is the front line of defense against unauthorized access, and if an attacker can defeat those defenses, they will often gain full control of the application's functionality, and unrestricted access to the data held within it. Without robust authentication to rely upon, none of the other core security mechanisms (such as session management and access control) can be effective.

In fact, despite its apparent simplicity, devising a secure authentication function is an extremely subtle business, and in real-world web applications authentication is very often the weakest link, which enables an attacker to gain unauthorized access. The authors have lost count of the number of applications that we have fundamentally compromised as a result of various defects in authentication logic.

This chapter will look in detail at the wide variety of design and implementation flaws that commonly afflict web applications. These typically arise because the application designers and developers fail to ask a simple question: What could an attacker achieve if he were to target ...