I have created an authentication API to manage user sessions and the works. To log a user in, the user send their credentials to my API endpoint and it returns “true” or “false” based on their login. I recently received an issue report stating that using “a burp and intercept”, the response of “false” can be changed to “true”, bypassing a failed login attempt and tricking the browser into thinking the user is logged in.
I’ll be honest: I have no clue how to prevent this. And if I cannot prevent it, is there a better way to be authenticating users?