Description:
For successful access control/login functionality there are a lot of things to take into consideration before you start developing this type of functionality.
Solution:
It is highly recommended to study all the listed items and implement these principles in your access control/login system in order to enforce a higher level of security.
- Audit logs
- Principle of least privilege (Privilege based authentication system)
- Passwords must be encrypted, salted and stretched
- Cross-Site Request Forgery (CSRF for authenticated forms)
- Session pattern
- Session fixation
- Session hijacking
- Forget password functions
- Client side authentication
- Client side state management
- cross sub domain cookie attack