Abstract
Secure session management is a challenging problem for Web applications. In fact, three of the ten most critical security risks included in the OWASP top ten 2013 can lead to session hijacking attacks. Best practices advocate the transmission of the session identifiers over HTTPS. However, this approach does not solve the session problems, and can’t be deployed on a wide range of HTTP-only applications. This paper presents a lightweight session management design deployed over HTTP, which allows much of the existing infrastructure of the web to remain unchanged, while at the same time strengthening authentication. Our work leverages the following key insights. (1) Users already have shared secrets with their web applications (e.g. password). (2) HTTPS is primarily used to protect the authentication information. (3) A secure session management should be built on a secure initial mutual authentication. Our proposed protocol guaranties the authenticity, confidentiality, integrity, and anti-reply of authentication credentials.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Open Web Application Security Project: TOP 10 2013. https://www.owasp.org/, https://www.owasp.org/index.php/Top_10_2013
Dacosta, I., Chakradeo, S., Ahamad, M., Traynor, P.: One-time cookies: preventing session hijacking attacks with stateless authentication tokens. ACM Trans. Internet Technol. TOIT 12, 1 (2012)
Stuttard, D., Pinto, M.: The Web Application Hacker’s Handbook Finding and Exploiting Security Flaws. Wiley, Indianapolis (2011)
Liu, A.X., Kovacs, J.M., Gouda, M.G.: A secure cookie scheme. Comput. Netw. 56, 1723–1730 (2012)
Dietz, M., Czeskis, A., Balfanz, D., Wallach, D.S.: Origin-bound certificates: a fresh approach to strong client authentication for the web. In: Proceedings of 21st USENIX Security Symposium, 2012 (2012)
Wedman, S., Tetmeyer, A., Saiedian, H.: An analytical study of web application session management mechanisms and HTTP session hijacking attacks. Inf. Secur. J. Glob. Perspect. 22, 55–67 (2013)
Fu, K., Sit, E., Smith, K., Feamster, N.: Dos and Don’ts of client authentication on the web. In: Proceedings of the 10th USENIX Security Symposium, pp. 251–268 (2001)
Park, J.S., Sandhu, R.: Secure cookies on the Web. Internet Comput. IEEE. 4, 36–44 (2000)
Xu, D., Lu, C., Dos Santos, A.: Protecting web usage of credit cards using one-time pad cookie encryption. In: Proceedings of the 18th Annual Computer Security Applications Conference, 2002 , pp. 51–58 (2002)
Adida, B.: Sessionlock: securing web sessions against eavesdropping. In: Proceedings of the 17th International Conference on World Wide Web, pp. 517–524 (2008)
Bonneau, J., Preibusch, S.: The password thicket: technical and market failures in human authentication on the web. In: Proceedings of the 9th Workshop on the Economics of Information Security (2010)
Sandler, D., Wallach, D.S.: <input type=“password”> must die. In: Presented at the Web 2.0 Security & Privacy (2008)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Sadqi, Y., Asimi, A., Asimi, Y. (2014). Short: A Lightweight and Secure Session Management Protocol. In: Noubir, G., Raynal, M. (eds) Networked Systems. NETYS 2014. Lecture Notes in Computer Science(), vol 8593. Springer, Cham. https://doi.org/10.1007/978-3-319-09581-3_23
Download citation
DOI: https://doi.org/10.1007/978-3-319-09581-3_23
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-09580-6
Online ISBN: 978-3-319-09581-3
eBook Packages: Computer ScienceComputer Science (R0)