Avoiding authentication bypass

App must be coded such that each privileged page checks auth status whenever accessed
- There are too many ways to get to the same page with different looking URLs
Attackers can purchase device to determine what paths are of interest
- “Hidden” paths are security through obscurity
If separate program is used to perform the privileged operation, it must also check auth

App must be coded such that each privileged page checks auth status whenever accessed