Reviewing Code for Authentication

2006-12-07T11:01:18Z

Raj28 3:

== '''Introduction''' ==
“Who are you?” Authentication is the process where an entity proves the identity of another entity, typically through credentials, such as a user name and password.

Depending on your requirements, there are several available authentication mechanisms to choose from. If they are not correctly chosen and implemented, the authentication mechanism can expose vulnerabilities that attackers can exploit to gain access to your system.

== '''Authentication''' ==
In the .NET, there is Authentication tags in the configuration file.

The <'''authentication'''> element configures the authentication mode that your applications use.

<'''authentication'''>

The appropriate authentication mode depends on how your application or Web
service has been designed. The default Machine.config setting applies a secure
Windows authentication default as shown below.

''' authentication Attributes:mode="[Windows|Forms|Passport|None]" '''

<authentication mode="Windows" />

''' Forms Authentication Guidelines '''
To use Forms authentication, set mode=“Forms” on the <authentication> element.
Next, configure Forms authentication using the child <forms> element. The
following fragment shows a secure <forms> authentication element configuration:

<authentication mode="Forms">
<forms loginUrl="Restricted\login.aspx" Login page in an SSL protected folder
protection="All" Privacy and integrity
requireSSL="true" Prevents cookie being sent over http
timeout="10" Limited session lifetime
name="AppNameCookie" Unique per-application name
path="/FormsAuth" and path
slidingExpiration="true" > Sliding session lifetime
</forms>
</authentication>

Use the following recommendations to improve Forms authentication security:
* Partition your Web site.
* Set protection=“All”.
* Use small cookie time-out values.
* Consider using a fixed expiration period.
* Use SSL with Forms authentication.
* If you do not use SSL, set slidingExpiration = “false”.
* Do not use the <credentials> element on production servers.
* Configure the <machineKey> element.
* Use unique cookie names and paths.

OWASP Code Review Guide Table of Contents

2006-12-07T10:02:01Z

Raj28 3: /* Examples by Vulnerability */

==Methodology==

#[[Code Review Introduction|Introduction]]

NOTE: The following two sections seem to describe quality code review processes, not specifically focused on security. Security code reviews are somewhat different as they require an understanding of the threat model.

#[[Steps and Roles]]
#[[Code Review Processes]]
[[Category:OWASP Code Review Project]]

==[[Design review]] ==

==Examples by Vulnerability==
#[[Buffer Overruns and Overflows|Buffer Overruns and Overflows]]
#[[OS Injection]]
#[[Reviewing Code for SQL Injection|SQL Injection]]
#[[Data Validation (Code Review)|Data Validation]]
#[[Error Handling]]
#[[The Secure Code Environment]]
#[[Transaction Analysis]]
#[[Authorization]]
#[[Authentication (Code review)|Authentication]]
#[[Session Integrity]]
#[[Cryptography]]

== Language specific best practice ==

===Java===
#[[Inner classes]]
#[[Class comparison]]
#[[Cloneable classes]]
#[[Serializable classes]]
#[[Package scope and encapsulation]]
#[[Mutable objects]]
#[[Private methods & circumvention]]

===.NET===

===PHP===

==[[Automating Code Reviews]] ==

==[[References]]==

[[Category:OWASP Code Review Project]]

OWASP - User contributions [en]

Reviewing Code for Authentication

OWASP Code Review Guide Table of Contents