Session management is a crucial component in every modern web application. It links multiple requests and temporary stateful information together, enabling a rich and interactive user experience. The de facto cookie-based session management mechanism is however flawed by design, enabling the theft of the session cookie through simple eavesdropping or script injection attacks. Possession of the session cookie gives an adversary full control over the user’s session, allowing him to impersonate the user to the target application and perform transactions in the user’s name. While several alternatives for secure session management exist, they fail to be adopted due to the introduction of additional roundtrips and overhead, as well as incompatibility with current Web technologies, such as thirdparty authentication providers, or widely deployed middleboxes, such as web caches. We identify four key objectives for a secure session management mechanism, aiming to be compatible with the current and future Web. We propose SecSess, a lightweight session management mechanism based on a shared secret between client and server, used to authenticate each request. SecSess ensures that a session remains under control of the parties that established it, and only introduces limited overhead. During session establishment, SecSess introduces no additional roundtrips and only adds 4.3 milliseconds to client-side and server-side processing. Once a session is established, the overhead becomes negligible (< 0.1ms), and the average size of the request headers is even smaller than with common session cookies. Additionally, SecSess works well with currently deployed systems, such as web caches and thirdparty services. SecSess also supports a gradual migration path, while remaining compatible with currently existing applications.
[1]
Benjamin Flesch,et al.
BetterAuth: web authentication revisited
,
2012,
ACSAC '12.
[2]
Phillip Hallam-Baker.
HTTP Integrity Header
,
2012
.
[3]
Dan S. Wallach,et al.
Origin-Bound Certificates: A Fresh Approach to Strong Client Authentication for the Web
,
2012,
USENIX Security Symposium.
[4]
Patrick Traynor,et al.
One-time cookies: Preventing session hijacking attacks with stateless authentication tokens
,
2012,
TOIT.
[5]
Wouter Joosen,et al.
SessionShield: Lightweight Protection against Session Hijacking
,
2011,
ESSoS.
[6]
Donald Eastlake rd,et al.
Transport Layer Security (TLS) Extensions: Extension Definitions
,
2011
.
[7]
Ben Adida,et al.
Sessionlock: securing web sessions against eavesdropping
,
2008,
WWW.