Broken Authentication and Session Management

One of the most common vulnerability in OWASP top 10 which is broken authentication & session management.
It happens when the application mismanages session related such that the user's identity compromised.
before going down it good to know about the Session.

What is a Session ID?

A session id is:

• Unique to user
• Used for only one authenticated session
• Generated by the server
• Sent to the client as:
• Hidden variable
• HTTP cookie
• URL query String (which is not a good practice)
• The user is expected to send the same ID in the next request

How does HTTP handles Session IDs?

 HTTP and HTTPS doesn't provide triking  of user's session so application vendors tries to provide a builtin session triking methodology or the developers develop their own method to manager sessions thus some times error occurs and that's why attackers take the advantage of such bad practices to compromise password, kies or authentication tokens.

the bad practice example is when you press back button in browser it will show up the facebook of the person who were using it logout him/her self and then you can see the messages, you can post on their behalf. 
Or credentials in the source code or you just paste the link in the browser if that logout account opens.

an attacker or a cyber-criminal can gain access to a website by stealing user’s login credentials or forge session data such as cookies and gain unauthorized access to a website.
Depending on the domain of web application this vulnerability allows money laundering, social security fraud and identity theft or exposure of highly sensitive data.

which Applications are vulnerable? 

application which permits credential stuffing attack where the attacker has the list of stolen username and passwords. Credential stuffing is the new form of attack which an account can be takeover by automated web injection.

• permits brutforce or other automated attacks.
• permits default, well-known and weak passwords like: admin/admin, password123.
• uses weak and ineffective password recovery method like: knowledge based questions to recover your account back.
• uses plaintext or weak hashed passwords that could be easily decoded by using online hash cracker.
• missing multi factor authentication
• exposes session ID in url rewriting
• does not rotate the session IDs after successful login
• does not properly invalidates session IDs.
• user sessions or authentication tokens aren't properly invalidated during logout or a period of inactivity.

Prevention / Mitigation

• User long and complex random session ID that cannot be guessed
• Use multi-factor authentication the prevent brutforcing, credential stuffing and stolen credential re-use attacks
• Do not deploy default passwords specially for admin users
• Implement weak password check
• Enforce Strong Passwords
• Limit or increasingly delay the failed login attempts. log all the failed attempts and send to the administrator
• use an SSL certificate (Secure Socket Layer or HTTPS) that encrypts your communication with server
• Session ID should be expired and/or time-out on the sever when logout
• Regenerate new session upon successful authentication
• URL query string should not be used for ID or any User/Session information