Best Practices for Secure Programming

Good Web Programming Practices

• Authentication on the Web: Sessions
  • Different from typical connections due to the stateless
    nature of the web. Every page must be authenticated. A group
    of authenticated pages over a period of time constitutes
    a Session

  • How is this done without prompting the user each page? Upon successful
    authentication, return a token to the user that is sent back to the web
    application each subsequent access. This token proves the user has
    authenticated. The token can be:
    • A cookie

    • A string in a hidden field

    • An encoded URL

  • The token in question should meet certain security requirements:
    • It should be unguessable/random/unforgeable (e.g, a098klskdjblkjslkeojsldkjf )

    • It should be difficult to discover (use SSL)

    • It should expire after a certain amount of time

  • To be even more secure, it could contain encrypted information that can only
    be decrypted on the server, information which can be used to verify the client

  • Be sure to include a logout function that renders the token inoperable

• Accepting data from the user : again, don't trust user data
  • Sanitize input from the user, e.g., stripping out HTML to help prevent
    cross-site scripting problems

  • Again, don't ask for information you can look up.