Weak Authentication and Session management can be mitigated by controls of strong authentication and session management. Such controls are as follows:
- Compliant with all the authentication and session management requirements defined in OWASP’s Application Security Verification Standard (ASVS) areas V2 (Authentication) and V3 (Session Management).
- Always use simple interface for developers. Consider the ESAPI Authenticator and User APIs as good examples to emulate, use, or build upon.
- Use standard practices to secure session id by cross-site scripting attack.