Seemingly, authentication is conceptually among the simplest of all the security mechanisms employed within web apps. In the typical situation, a user provides her username and password, and the application must confirm that these items are correct. If the supplied data is correct, it lets the user in. If not, it does not.
It is the heart of the web application’s protection against malicious attack. It is the front line of protection against unauthorized access. If an attacker can break those defenses, he will often gain full control of the application’s functionality and unrestricted access to the data held within it. Without robust authentication to rely on, none of the other core security mechanisms (such as session management and access control) can be effective.
In real-world web applications authentication usually is the weakest part, which enables an attacker to gain unauthorized access. The authors have lost count of the number of applications we have basically compromised as a result of various defects in authentication logic.
The most common authentication flaws are no-brainers. Any attacker can type dictionary words into a login form in an attempt to detect valid passwords. In other situations, complex bugs may lurk deep within the application’s processing that can be detected and exploited.