In a SSL web application, what would be the vulnerabilities of using session based authentication?

Posted by Thomas C. G. de Vilhena on Programmers See other posts from Programmers or by Thomas C. G. de Vilhena
Published on 2013-11-08T00:26:05Z Indexed on 2013/11/08 4:17 UTC
Read the original article Hit count: 312

Filed under:
|
|

I'm not sure the term even exists, so let me explain what I mean by "session based authentication" through some pseudo-code:

void PerformLogin(string userName, string password)
{
    if(AreValidCredentials(userName, password))
    {
        Session.Set("IsAuthenticated", true);
    }
    else
    {
        Message.Show("Invalid credentials!");
    }
}

So the above method simply verifies the provided credentials are valid and then sets a session flag to indicate that the session user is authenticated.

Under plain HTTP that is obviously unsafe, because anyone could hijack the session cookie/querystring and breach security. However, under HTTPS the session cookie/querystring is protected because client-server communication is encrypted, so I believe this authentication approach would be safe, wouldn't it?

I'm asking this because I want to know how authentication tickets can improve web applications security.

Thanks in advance!

© Programmers or respective owner

Related posts about authentication

Related posts about session