In a SSL web application, what would be the vulnerabilities of using session based authentication?
- by Thomas C. G. de Vilhena
I'm not sure the term even exists, so let me explain what I mean by "session based authentication" through some pseudo-code:
void PerformLogin(string userName, string password)
{
if(AreValidCredentials(userName, password))
{
Session.Set("IsAuthenticated", true);
}
else
{
Message.Show("Invalid credentials!");
}
}
So the above method simply verifies the provided credentials are valid and then sets a session flag to indicate that the session user is authenticated.
Under plain HTTP that is obviously unsafe, because anyone could hijack the session cookie/querystring and breach security. However, under HTTPS the session cookie/querystring is protected because client-server communication is encrypted, so I believe this authentication approach would be safe, wouldn't it?
I'm asking this because I want to know how authentication tickets can improve web applications security.
Thanks in advance!