Can you spot the real vulnerability in this authentication system? (Most people get it wrong)
Posted by thenoopcoder@reddit | learnprogramming | View on Reddit | 9 comments
Can you spot the real vulnerability in this authentication system? (Most people get it wrong)
A web application uses the following authentication flow:
User logs in with username + password
Server generates a session token and stores it in a cookie
The cookie is marked as HttpOnly and Secure
The application does NOT rotate session IDs after login
The same session ID is reused across multiple devices if credentials match
❓ Question:
Which of the following is the most serious security vulnerability in this design?
A) “HttpOnly and Secure flags are missing”
B) “Passwords are stored in plaintext”
C) “Session cookies can be stolen easily via WiFi”
D) “Using cookies for authentication is insecure”
InnocentVampire7@reddit
I think it's B, because we need to store password as encrypted not plain text. Its not a good practice
EliSka93@reddit
We have no way of knowing that from the phrasing of the question.
That aside, storing passwords plaintext isn't just bad practice but rather something that should be straight up criminal in my opinion.
InnocentVampire7@reddit
True. But i came to this conclusion by eliminating other options. There is no mention about how password is getting stored, so 2nd option is the only choice which is not wrong.
BlaM4c@reddit
A lot of details are missing from this questions scenario to actually answer this.
But: The session ID here apparently is not a session ID. It is just a visitor ID if the same is used on multiple devices when credentials match. It may not even be possible to log out with this approach.
HashDefTrueFalse@reddit
I don't like any of the answers, given the information we have. The question specifies "in this design". It seems to be implying a session hijacking (fixation) vulnerability. But... A is false on the facts. B and C require us to assume or infer information that is not given and cannot be deduced (plaintext passwords and no TLS respectively). D is a false general statement.
Is this some LLM-generated practice question, because it's not very good IMO.
nog642@reddit
A doesn't make sense, it says the flags are there.
C isn't true because of the secure cookie.
I don't think D is true, cookies can be fine for authentication in general.
So if it's multiple choice, it must be B, even though the text didn't say how the passwords were stored.
But also the session ID never being rotated and being reused across devices seems like an issue too. But it's not in the multiple choice.
OtherwiseOne4107@reddit
Are trying to get us to help you pass an exam?
thenoopcoder@reddit (OP)
😁😁😁😁😁
thenoopcoder@reddit (OP)
Maybe I think it's a Session fixation plus session reuse across devices without rotation