Abstract
Cookies are used for tracking user sessions in Web servers. Though, the security vulnerability of cookies may cause session being hijacked. To resist attacks, Dacosta et al. proposed one-time cookies (OTC) protocol. Unfortunately, one primary weakness is its availability relying on time synchronization between two machines, while the other is using a fixed session key to generate OTC during session period, turning possible adversaries to crack the key. Motivated by these shortcomings, a novel OTC protocol based on a one-time password (OTP) is proposed in the paper. The protocol adopts the OTP algorithm based on a hash chain to avoid time synchronization problems and generate a dynamic key for improving the security of OTC. For efficiency, we also enhanced the OTP algorithm. Security analysis and experimental results show that the proposed OTC protocol is promising to deliver high security and minimal burden on performance.
Similar content being viewed by others
References
Adida B (2008) Sessionlock: securing web sessions against eavesdropping. In: WWW 2008: proceedings of 17th international conference on world wide web, Beijing, China, pp 517–524
Bates D, Barth A, Jackson C (2010) Regular Expressions Considered Harmful in Client-side XSS Filters. In: WWW 2010: proceedings of the 19th international conference on world wide web, Raleigh, North Carolina, USA, pp 91–100
Callegati F, Cerroni W, Ramilli M (2009) Man-in-the-middle attack to the HTTPS protocol. IEEE Secur Priv 7(1):78–81
Calzavara S, Focardi R, Squarcina M, Tempesta M (2017) Surviving the web: a journey into web session security. ACM Comput Surv 50(1):13
Chang X, Nie F, Wang S, Yang Y, Zhou X, Zhang C (2016) Compound rank-k projections for bilinear analysis. IEEE Trans Neural Netw Learn Syst 27(7):1502–1513
Chang X, Ma Z, Yang Y, Zeng Z, Hauptmann AG (2017) Bi-level semantic representation analysis for multimedia event detection. IEEE Trans Cybern 47(5):1180–1197
Dacosta I, Chakradeo S, Ahamad M, Traynor P (2012) One-time cookies: preventing session hijacking attacks with stateless authentication tokens. ACM Trans Internet Technol 12(1):1
Kristol D, Montulli L (1997) RFC2109—HTTP state management mechanism. https://www.rfc-editor.org/info/rfc2109. Accessed 16 Jan 2019
Lamport L (1981) Password authentication with insecure communication. Commun ACM 24(11):770–772
Lin L, Chen K, Zhong S (2017) Enhancing the session security of zen cart based on HMAC-SHA256. KSII Trans Internet Inf Syst 11(1):466–483
M’Raihi D, Bellare M, Hoornaert F, Naccache D, Ranen O (2005) HOTP: RFC4226—HOTP: an HMAC-based one-time password algorithm. https://tools.ietf.org/html/rfc4226. Accessed 1 Dec 2018
M’Raihi D, Machani S, Pei M, Rydell J (2011) RFC 6238—TOTP: time-based one-time password algorithm. https://www.rfc-editor.org/info/rfc6238. Accessed 1 Dec 2018
Neuman C, Yu T, Hartman S, Raeburn K (2005) RFC 4120—the Kerberos network authentication service (V5). http://tools.ietf.org/html/rfc4120. Accessed 24 Jan 2019
Nikiforakis N, Meert W, Younan Y, Johns M, Joosen W (2011) SessionShield: lightweight protection against session Hijacking. In: ESSoS 2011: proceedings of the 3rd international symposium on engineering secure software and systems, Madrid, Spain, pp 87–100
Park CS (2018) One-time password based on the hash chain without shared secret and re-registration. Comput Secur 75:138–146
Sarmah U, Bhattacharyya DK, Kalita JK (2018) A survey of detection methods for XSS attacks. J Netw Comput Appl 118:113–143
Siddiqui MS, Verma D (2011) Cross site request forgery: a common web application weakness. In: ICCSN 2011: IEEE 3rd international conference on communication software and networks, Xian, China, pp 538–543
Tang S, Dautenhahn N, King ST (2011) Fortifying web-based applications automatically. In: CCS 2011: Proceedings of the 18th ACM conference on computer and communications security, Chicago, American, pp 615–626
Funding
This work is supported by the National Natural Science Foundation of China (Nos. 61672338 and 61873160).
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
Author Junhui He declares that he has no conflict of interest. Author Dezhi Han declares that he has no conflict of interest. Author Kuan-Ching Li declares that he has no conflict of interest.
Ethical approval
This article does not contain any studies with human participants or animals performed by any of the authors.
Additional information
Communicated by B. B. Gupta.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
He, J., Han, D. & Li, KC. On one-time cookies protocol based on one-time password. Soft Comput 24, 5657–5670 (2020). https://doi.org/10.1007/s00500-019-04138-5
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00500-019-04138-5