Skip to content

Eduguru

  • Tutorial and Training
    • SQL Server
    • Linux Tutorial
    • PHP Tutorial
    • Asterisk Tutorial
    • MySQL Tutorial
    • JavaScript Tutorial
    • C Tutorial
    • Who Breaks into Computer Systems
    • Planning and Performing Hacking Attacks
    • Maintaining Anonymity
    • Selecting Security Assessment Tools
    • Scanning Systems
  • Contact Us
    • Feedback
  • Business
    • Solutions
      • Job : Dialer Support
    • ViciDial – GoautoDial Support
    • Domain Registration
    • Web Hosting
    • Consultancy
    • Dialer Support
  • About Us
  • News
  • Donate Online
  • Offers
  • Newsletter
  • Jobs
  • Sale
    • Amazon
    • Get Computer Books
    • Amazon Sale Offer
  • Search
  • Python Tutorial
  • Search
  • WPMS HTML Sitemap
  • Log In
  • Log Out
  • Register
  • Lost Password
  • Reset Password
  • Download
  • Result
  • Newsletter
  • search
  • MySQL – Video Tutorial
  • Products Page
    • Checkout
    • Transaction Results
    • Your Account
  • Privacy

Handling User Access

April 13, 2020 by Krishna

A central security requirement that virtually any application needs to meet is to control users’ access to its data and functionality. In a typical situation, there are several different categories of user; for example, anonymous users, ordinary authenticated users, and administrative users. Further, in many situations different users are permitted to access a different set of data; for example, users of a web mail application should be able to read their own email but not other people’s.

Most web applications handle access using a trio of interrelated security mechanisms:

■ Authentication
■ Session management
■ Access control

Each of these mechanisms represents a significant area of an application’s attack surface, and each is absolutely fundamental to an application’s overall security posture. Because of their inter dependencies, the overall security provided by the mechanisms is only as strong as the weakest link in the chain. A defect in any single component may enable an attacker to gain unrestricted access to the application’s functionality and data.

Authentication

The authentication mechanism is logically the most basic dependency in an application’s handling of user access. Authenticating a user involves establishing that the user is in fact who he claims to be. Without this facility, the application would need to treat all users as anonymous — the lowest possible level of trust.

The majority of today’s web applications employ the conventional authentication model in which the user submits a username and password, which the application checks for validity. Figure -1 shows a typical login function. In security-critical applications such as those used by online banks, this basic model is usually supplemented by additional credentials and a multistage login process. When security requirements are higher still, other authentication models may be used, based on client certificates, smartcards, or challenge-response tokens. In addition to the core login process, authentication mechanisms often employ a range of other supporting functionality, such as self-registration, account recovery, and a password change facility.

Screenshot from 2020-04-14 00:07:35

Figure -1: A typical login function

Despite their superficial simplicity, authentication mechanisms suffer from a wide range of defects, in both design and implementation. Common problems may enable an attacker to identify other users’ usernames, guess their passwords, or bypass the login function altogether by exploiting defects in its logic. When you are attacking a web application, you should invest a significant amount of attention in the various authentication-related functions that it contains. Surprisingly frequently, defects in this functionality will enable you to gain unauthorized access to sensitive data and functionality.

Session Management

The next logical task in the process of handling user access is to manage the authenticated user’s session. After successfully logging in to the application, the user will access various pages and functions, making a series of HTTP requests from their browser. At the same time, the application will be receiving countless other requests from different users, some of whom are authenticated and some of whom are anonymous. In order to enforce effective access control, the application needs a way of identifying and processing the series of requests that originate from each unique user.

Virtually all web applications meet this requirement by creating a session for each user and issuing the user a token that identifies the session. The session itself is a set of data structures held on the server, which are used to track the state of the user’s interaction with the application. The token is a unique string that the application maps to the session. When a user has received a token, the browser automatically submits this back to the server in each sub-sequent HTTP request, enabling the application to associate the request with that user. HTTP cookies are the standard method for transmitting session tokens, although many applications use hidden form fields or the URL query string for this purpose. If a user does not make a request for a given period, then the session is ideally expired.

In terms of attack surface, the session management mechanism is highly dependent on the security of its tokens, and the majority of attacks against it seek to compromise the tokens issued to other users. If this is possible, an attacker can masquerade as the victim user and use the application just as if they had actually authenticated as that user. The principal areas of vulnerability arise from defects in the way tokens are generated, enabling an attacker to guess the tokens issued to other users, and defects in the way tokens are subsequently handled, enabling an attacker to capture other users’ tokens.

Screenshot from 2020-04-14 00:19:58

Figure -2: An application enforcing session timeout

A small number of applications dispense with the need for session tokens by using other means of re-identifying users across multiple requests. If HTTP’s built-in authentication mechanism is used, then the browser automatically resubmits the user’s credentials with each request, enabling the application to identify the user directly from these. In other cases, the application stores the state information on the client side rather than the server, usually in encrypted form to prevent tampering.

Access Control

The final logical step in the process of handling user access is to make and enforce correct decisions regarding whether each individual request should be permitted or denied. If the preceding mechanisms are functioning correctly, the application knows the identity of the user from whom each request is received. On this basis, it needs to decide whether that user is authorized to perform the action, or access the data, that he is requesting.

The access control mechanism usually needs to implement some finegrained logic, with different considerations being relevant to different areas of the application and different types of functionality. An application might support numerous different user roles, each involving different combinations of specific privileges. Individual users may be permitted to access a subset of the total data held within the application. Specific functions may implement transaction limits and other checks, all of which need to be properly enforced based on the user’s identity.

Screenshot from 2020-04-14 00:24:36

Figure -3: An application enforcing access control

Because of the complex nature of typical access control requirements, this mechanism is a frequent source of security vulnerabilities that enable an attacker to gain unauthorized access to data and functionality. Developers very often make flawed assumptions about how users will interact with the application, and frequently make oversights by omitting access control checks from some application functions. Probing for these vulnerabilities is often laborious because essentially the same checks need to be repeated for each item of functionality. Because of the prevalence of access control flaws, how- ever, this effort is always a worthwhile investment when you are attacking a web application.

next article is…Handling User Input……..

Categories Tutorial, Website Tags Access Control, attack surface, Authentication, Core Defense Mechanisms, enforcing access control, enforcing session timeout, Handling User Access, HTTP request, security vulnerabilities, Session Management, typical login function, URL query, web application
Core Defense Mechanisms
Handling User Input

Recent Posts

  • IGNOU Admission Process Explained Step by Step
  • Top 10 Online Coaching Platforms for IIT JEE in India
  • Understanding Generative AI: A Beginner’s Guide
  • Top 15 ChatGPT Prompts for Students to Boost Learning
  • How to Build an AI Agent Without Coding: A Step-by-Step Guide
  • 10 Best AI Resume Builder Tools for Indian Job Seekers
  • Top 10 AI Tools for Digital Marketing in India
  • Top 20 Free AI Image Generators to Try in 2026
  • 10 Effective ChatGPT Prompts for Indian Classroom Teachers
  • PM Scholarship Scheme: Eligibility and Application Guide
  • Jio vs Airtel vs Vi: Best Mobile Plans Compared
  • UPI Apps Compared: PhonePe vs Google Pay vs Paytm
  • Top 10 Budget Smartphones in India for 2026
  • Top 10 Web Hosting Services in India for Beginners
  • Top 10 Laptops for Students in India Under ₹50,000
  • AI Impact on Jobs in India: Skills to Embrace for Future Growth
  • Top Skills Employers Want in India 2026
  • Top 10 Government Jobs After Graduation in India
  • How to Prepare for UPSC Prelims: A Beginner’s Guide
  • Top 10 Courses After 12th Commerce for Bright Careers
  • Top 10 Courses After 12th Science in India: Complete Guide
  • Top Scholarships for Indian College Students in 2026
  • How to Check CBSE Class 12 Results and What to Do Next
  • Top Tips for CBSE Class 12 Board Exam Preparation
  • Top 10 AI Tools for Students in India in 2026
  • Top 10 Highest Paying Jobs in India for 2026
  • Ultimate JEE Main Study Plan for Class 12 Students
  • NEET Preparation Strategy for First Attempt: A Complete Guide
  • Ultimate CUET Preparation Guide 2026 for Indian Students
  • ChatGPT vs Gemini vs Claude: Which AI is Best for Indians?
  • The Fascinating Story of Mango: King of Indian Fruits
  • Why Mango is the King of Fruits: Benefits and Fun Facts
  • Discovering the Lichi Capital of the World: A Sweet Journey
  • Top AI Courses for 10th Class Students in India
  • Celebrating World Telecommunication Day: Connecting the World
  • Top Career Paths Post-AI: Future Employment Options Explored
  • Exciting Summer Projects for Students to Explore
  • Understanding the B.Tech Admission Process in IITs
  • Understanding CBSE Class 12th Results: Access and Next Steps
  • Understanding NAAC Grade Colleges and Their Admission Benefits
  • Understanding UUID: Creation and Applications in Technology
  • Top AI Tools to Simplify Your Website Creation Process
  • The Transformative Impact of AI on IT for Developers
  • Transforming Health Care: Benefits of AI Technology
  • Harnessing AI: Transforming the Fintech Industry in India
  • Transforming IT BPOs: The Impact of AI Technology
  • Effective Strategies to Build Concentration for Students
  • Top Historic Places to Visit in India This Summer Vacation
  • Master Your Study Routine: A Guide for 10th Grade Students
  • How AI is Transforming Our World: Impacts and Implications

Recent Post

  • IGNOU Admission Process Explained Step by Step
  • Top 10 Online Coaching Platforms for IIT JEE in India
  • Understanding Generative AI: A Beginner’s Guide
  • Top 15 ChatGPT Prompts for Students to Boost Learning
  • How to Build an AI Agent Without Coding: A Step-by-Step Guide
© 2026 Eduguru • Built with GeneratePress