Following are some guidelines that allow authentication process to be secure
For User Authentication
- Credentials must not be stored in browsers or insensitive locations.
- Application logs must not record sensitive data like password
- Perform Two Factor Authentication
- Login Request must happen using POST request over HTTPS.
- Password reset must ask old password.
- Password must mandate minimum character set and special characters.
Once the user logs in, session needs management.
For Session Management
Prefer Host based cookies over domain based cookies.
- Mandate Secure, HTTPS and SameSite Flags for Cookies.
- Do not log Cookie information in logs.
- Session Must have idle and MaxTime outs
- Must support logout feature.
- Must validate User on every cookie request
- Allow Server level termination of session to allow blocking a already login user.
- Option to cap on current sessions.
- Cookie created needs needs hold client IP or any user machine specific infomration to avoid replay attack.
No comments:
Post a Comment