Skip to main content


Protecting OutSystems apps from authentication vulnerabilities



Protecting OutSystems apps from authentication vulnerabilities

Authentication is the way your users let your application know who they are. When vulnerable, your application will take actions or show information to someone who shouldn't be allowed to have access.

Generally, these vulnerabilities allow someone to easily fool the system. The system will accept that they are an accredited user without needing to provide actual proof.

How to do it with OutSystems Platform

The recommended strategy is that you always use an HTTPS channel.

Specifically, for the following use cases, the corresponding actions are recommended:

Use case Actions

Send passwords in clear text


Send session ID in clear text


Force session ID regeneration on login



  1. Generate a unique login token, save it to the database and perform your login flow based on the token. 
  2. Redirect the user to another page which retrieves the token (only known by the user) and logs the user in.
  3. Expire the cookie so that the user is forced to send a new one, effectively changing the session ID upon login.


More information

To learn how to protect your OutSystems apps against other common types of attacks, check how OutSystems Platfom helps you develop secure applications.