A07 — Identification & Authentication Failures Secure

These secure demos show Rate limiting, Session fixation defenses, Reset tokens, MFA (TOTP-style), and Remember-me with selector/validator.

Attack 1 Attack 2 Attack 3 Attack 4 Attack 5

Uses shared DB tables (a07_*). Seed data in db/seed.sql. Compare with the Insecure version.

Attack 1 — Brute-force / Rate Limiting

per-user/IP window + backoff

Secure idea: Track attempts per user and IP in a sliding window, add backoff/jitter, and log for alerting. Responses remain uniform. "alice@example.com/alice@example.com"

Enter email/password; repeated failures begin throttling.
On success, counters reset and you’re logged in.

Attack 2 — Session Fixation & Cookie Flags

session_regenerate_id + HttpOnly/Secure/SameSite

Secure idea: on login, session_regenerate_id(true) to kill fixation. Set cookies with HttpOnly, Secure, and SameSite=Lax/Strict.

Click Begin to see your pre-login SID.
Log in (secure) — SID should change.
Open Who am I to inspect current SID & cookie attributes.

Begin (pre-login SID)

Who am I?

Attack 3 — Password Reset Tokens

random token + hash + TTL + one-time

Secure idea: 32-byte random token → store the hash with short TTL, single-use.

Request a reset link for an email.
Paste the returned URL to perform a secure reset.

Attack 4 — MFA (TOTP-style)

HMAC code + time window + nonce

Secure idea: Require time-based one-time code from per-user secret, verify in small window, and track a one-time challenge nonce.

Begin MFA (server issues challenge + shows demo secret).
Enter current 6-digit code to verify.

Begin MFA (secure)

Attack 5 — Remember-Me (Persistent Login)

selector + validator (hash in DB) + rotate

Secure idea: Split cookie into selector (id) + validator (secret). Store only the hash of the validator with expiry; rotate on use; mismatch ⇒ invalidate.

Set a secure remember-me cookie.
Validate it (simulated returning visit).
Clear it when done.

Set Remember-Me (secure)

Validate Remember-Me Clear