About authentification and authorization:
Let's assume I have implemented secure HttpOnly cookie -based session management, with a CSRF token and let's assume there is no vulnerability in my ACL (authorization) system, and I have a rate limiter to avoid brute force attacks.
What's the most likely vulnerability I may face when it comes to reading or updating data a user is not supposed to? And how should I fix it?
Hmmm most of it is covered by going through OWASP's Authentication Cheatsheets.<p>In my mind: session invalidation, session locking to user agent or ip address. Really depends on how sensitive your user's data is and how ahead you are on the business side of things for you to really have time to focus on security deeply.