When verifying "who you are" goes horribly wrong.
Authentication is the process of verifying identity (usually via username/password). "Broken Authentication" is an umbrella term for a broad class of vulnerabilities where the login process, session management, or password recovery flow is flawed, allowing an attacker to impersonate legitimate users.
If you use predictable session IDs (like `SESSION_ID=1045`), an attacker can simply change their cookie to `1046` and take over the next user's account. Session IDs must be long, cryptographically random, and rotate frequently.
# VULNERABLE: Predictable Session IDs
def generate_session(user_id):
# DANGER: Attackers can easily guess the next session ID!
global last_session_id
last_session_id += 1
return last_session_id
# SECURE: Cryptographically Secure Randomness
import secrets
def generate_session(user_id):
# Generates a massive, unguessable string like:
# 'a4f5c9e2b1d0...' (entropy is too high to brute force)
return secrets.token_hex(32)
A developer implements a "Forgot Password" feature. The user enters their email, and the server generates a 6-digit PIN and emails it to them. However, the server does not rate-limit the PIN verification endpoint. An attacker requests a password reset for `admin@company.com`, then writes a script to guess all 1,000,000 possible 6-digit PINs (000000 to 999999). It takes the script 5 minutes to guess the correct PIN and take over the admin account.
Why should you use `bcrypt` instead of `SHA-256` for hashing passwords in your database?