tbhm:04_authorization
This is an old revision of the document!
# Auth and Session
## Auth (better be quick)
Auth Related (more in logic, priv, and transport sections)
- User/pass discrepancy flaw - Registration page harvesting - Login page harvesting - Password reset page harvesting - No account lockout - Weak password policy - Password not required for account updates - Password reset tokens (no expiry or re-use)
## Session (better be quick)
Session Related: - Failure to invalidate old cookies - No new cookies on login/logout/timeout - Never ending cookie length - Multiple sessions allowed - Easily reversible cookie (base64 most often)
tbhm/04_authorization.1778746727.txt.gz · Last modified: by drew