Don't allow the login page to be framed
Allowing the login page to be displayed within a frame can open the application up to a cross frame scripting vulnerability in some browsers. The EComm Core provides functionality to prevent framing in traditional template-based, JSP-based, and JavaServer Faces applications.
Don't disclose information through the help page
If the login page links to a help system, the information available should only cover the login page and other pages that are accessible before the user logs into the application. It's a common mistake to expose additional information through the help system. This may assist potential attackers who wish to learn about the how the application works and what functionality is available.
Offset the User Id and Password fields from the center of the page
A common phishing technique is to insert code into a session that results in an HTTP Basic Authentication box displaying in the center of the screen. If the User Id and Password entry fields are centered on the page, they can be hidden by the dialog and the user may enter their credentials into the wrong input fields.
Don't prefill user id and password data
A login page should never prefill the user id and password fields with previously entered data. For example, if the user enters an incorrect password, when the page is redisplayed, both fields should be empty. To prevent the browser from prefilling the fields, both input elements should have the autocomplete='off' attribute set.
Don't use unique error codes or messages for User Id or Password errors.
Using unique error codes or messages for User Id or Password errors can lead to inadvertent information disclosure. This could allow an attacker to identify valid User Ids and potentially guess a common password or launch a denial-of-service attack.
Establish a new session after authentication
For simple applications, the best approach is to code the login page so it doesn't establish a session. However, many more complex applications require a session before the user is authenticated to implement functions such as new user enrollment or password changes and resets. If a session is established before authentication, it should be deleted and a new session established after the user authenticates to avoid a session fixation attack.
Redirect the user after authentication
After the user has been authenticated, the next page the application displays should not be the application's landing page, but instead should be a page that uses a meta refresh tag to redirect the user to the landing page using the newly established session identifier.
This prevents a security issue where the user can logout then use the browser's Back button to back up to the landing page and click Refresh which causes the login credentials to be resubmitted by the browser and a new session established.
If the user attempts this with an application that has a redirect between the login and landing pages, the information the browser resubmits is the session identifier (which is now invalid), not the login credentials.
Use cookies correctly
Session cookies should be marked secure and HTTPOnly.
分享到:
相关推荐
It will give you a richer understanding of what it takes to build secure applications. Michael and David are, respectively, members of the Secure Windows Initiative and the Trustworthy Computing ...
和文档配套使用,记录学习
The development book for HTML and CSS, it's usefull for web development studying!
集合版,官网提供,用8.0系列注册机可以激活,亲测可用
Angular 5 Projects Learn to Build Single Page Web Applications Using 70+ Projects 英文epub 本资源转载自网络,如有侵权,请联系上传者或csdn删除 查看此书详细信息请在美国亚马逊官网搜索此书
本文主要阐述了maven build是用来干什么的,以及对build标签中各子元素配置的作用
You’ll also master security-centric techniques you can apply throughout your build-test-deploy pipeline, including the unique concerns of modern microservices and cloud-native designs. ...
windows build tools 离线安装包,windows build tools offline installer, 更新于2021-01-07
• Build modern, dynamic, and interactive user interface using the Page Designer • Increase user experience using Dynamic Actions (Ajax included) • Build and utilize the new APEX 5.1 Interactive ...
The packet mechanism and related mechanisms for authentication, key exchange, encryption, and integrity implement a transport-layer security mechanism, which is then used to build secure connections.
android build tool-28.0.3.rar文件是SDK中的build-tools的28.0.3版本升级文件夹,解压后放在SDK的build-tools目录中
Android build tool 25.0.2 下载后解压到sdk中的build-tools目录下即可
Android SDK Build-tools, revision 28.0.1 使用方法: $ [ ! -d $ANDROID_HOME/build-tools ] && mkdir -p $ANDROID_HOME/build-tools $ unzip build-tools_r28.0.1-macosx.zip -d $ANDROID_HOME/build-tools/ $ mv...
DDKWizard is a so-called project creation wizard that allows you to create projects that use the DDKBUILD scripts from OSR (also available in ... This page will be extended whenever I deem it necessary.
用于f-secure client security的更新包,更新到2008年11月6日版本
Containing all you need to know to get started with Vue.js, this book will take you through using build tools (transpile to ES5), creating custom components, state management, and routers. ...
build-tools 21.1.2.rar 下载。解决No usable Android build tools found. Highest installed version is 19; minimum version required is 19.1.0. 等错误
SqlBuild使用说明
ubuntu基本的编译环境,gcc、make及build-essential,本资源提供了它们的离线安装包deb和所需要的依赖,只需要将其拷到离线电脑上,依次cd进入gcc、make、build-essential目录,执行'sudo dpkg -i *.deb'命令进行...