Improving Web Application Security: Threats and - CGISecurity

Chapter 22: Deployment Review 659●Do you use SSL with Forms authentication?SSL prevents session hijacking and cookie replay attacks. Check the requireSSLattribute of the element.●Do you limit authentication cookie lifetime?Minimize the cookie timeout to limit the amount of time an attacker can use thecookie to access your application. Check the timeout attribute on the element.●●Do you use sliding expiration?Check the slidingExpiration attribute. slidingExpiration=“true” means that thecookie expires at a fixed duration after its initial duration. The timeout clock is notreset after each request. Use of a sliding expiration is particularly recommendedfor applications that do not use SSL on all pages to protect the cookie.Do you use unique cookie paths and names?Check that you use a separate cookie name and path for each Web application.This ensures that users who are authenticated against one application are nottreated as authenticated when using a second application hosted by the same Webserver. Check the path and name attributes on the element.●●●●Do you use the element?You should not use the element on production servers. This elementis intended for development and testing purposes only. Credentials should insteadbe stored in Microsoft Active Directory ® directory service or SQL Server.How do you store credentials?If your application uses Windows authentication, credentials are stored in ActiveDirectory, which passes the credential management issue to the operatingenvironment. If your application uses Forms authentication, make sure you use aSQL Server or Active Directory credential store.Do you store password hashes?Make sure passwords are not stored in the database. Instead, store passwordhashes with added salt to foil dictionary attacks.Do you use strong passwords?Your application should enforce the use of strong passwords. A good way to dothis is to use a regular expression in the Forms logon page.