Risk Assessment for the Typical E-Commerce Web Application - Secure Java: For Web Application Development

Java Reference

In-Depth Information

◾

New e-commerce application clients must enter all the necessary details, including user-

name, chosen password, address, telephone, email address, and so on. Once the user is

registered, an email is sent to the user at the designated email address. he user must

click on the link provided to perform the initial login. he activation link will expire in

12 hours.

6.4.1.3 Session Management

he following functionality will be implemented as part of session management for Panthera's

e-commerce application:

◾ utilized for creating session handlers. No separate session handlers will be written. his is

done to prevent session handlers from being predictable.

Session idle time will be set to 5 minutes for all users of the e-commerce application.

he built-in session management feature provided from the Web/application server will be

◾

◾ tion. his is done to prevent against session ixation attacks.

Existing sessions must irst be invalidated before performing a login request to the applica-

6.4.1.4 Storage of User Credentials

he following security measures will be implemented for the storage of user credentials as part of

Panthera's Web application:

◾ is being considered as the one-way hashing function * to be used for hashing passwords to be

stored in the database.

Users will be required to create a password question and a password answer, in case they for-

User passwords will be stored in the user database table in an encrypted format. SHA-256

◾

get their password. he password answer will be hashed with a SHA-256 hashing function.

6.4.1.5 Other Measures

Other security measures that will be incorporated into Panthera's e-commerce application, with

reference to authentication and authorization, are as follows:

◾

Each page of the Web application will have a logout page.

◾ to be implemented for the same.

All pages for user authentication need to take place over an encrypted channel. SSL/TLS is

* A one-way hash function is a mathematical function that takes a variable-length input string and converts it

into a ixed-length binary sequence, thereby rendering the original string unreadable to an individual. he one-

way hashing function has been named so because this process of converting a string into a binary sequence is

irreversible. One-way hashing functions are covered in detail in Chapter 8 of this topic.

Search WWH ::

Custom Search

Home