Abstract
Nowadays cloud systems are widely spread, those are parts of our life even if we do not recognize it. These services store our pictures, documents, we post our fitness data there, we do our shopping, and post our thoughts to different clouds, or we just let apps to track our position and send it to some servers. Those services which are not mainly browser-based often offer a way to check our data from browsers through HTTP or HTTPS. Here comes a security vulnerability which we will study in this paper. Because HTTP is a stateless protocol there has to be something what keeps persistence, for this purpose they invented session cookies. We will be working with a special type of attack called session hijacking, which targets these cookies. If the attacker gets those cookies he can act like an authenticated user. We will show multiple ways to steal and to protect these cookies. In this paper we show our measurements, how vulnerable different sites are to this type of attack. We will study the existing methods how to protect our servers against this threat. Finally we introduce our embedded authenticator TooKie (which is a mix-word of token and cookie), which is a token based application. We will show that it gives a great protection against session hijacking, yet it’s simple to set up and use.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Fu, K., Sit, E., Smith, K., Feamster, N.: The dos and don’ts of client authentication on the web. In: USENIX Security Symposium, pp. 251–268 (2001)
Visaggio, C.: Session management vulnerabilities in today’s web. IEEE Secur. Priv. 5, 48–56 (2010)
Wedman, S., Tetmeyer, A., Saiedian, H.: An analytical study of web application session management mechanisms and http session hijacking attacks. Inf. Secur. J. Glob. Perspect. 22(2), 55–67 (2013)
Khan, W.: Web session security: Formal verification, client-side enforcement and experimental analysis (2015)
Calzavara, S., Tolomei, G., Bugliesi, M., Orlando, S.: Quite a mess in my cookie jar! WWW 2014 (2014)
Nikiforakis, N., Meert, W., Younan, Y., Johns, M., Joosen, W.: Sessionshield: Lightweight protection against session hijacking. In: Engineering Secure Software and Systems, pp. 87–100. Springer, Berlin (2011)
Bugliesi, M., Calzavara, S., Focardi, R., Khan, W.: Automatic and robust client-side protection for cookie-based sessions. In: Engineering Secure Software and Systems, pp. 161–178. Springer, Berlin (2014)
Liu, A.X., Kovacs, J.M., Huang, C.-T., Gouda, M.G.: A secure cookie protocol. In: Proceedings of the 14th International Conference on Computer Communications and Networks, ICCCN 2005, pp. 333–338. IEEE (2005)
Bortz, A., Barth, A, Czeskis, A.: Origin cookies: Session integrity for web applications. In: Web 2.0 Security and Privacy (W2SP) (2011)
Dacosta, I., Chakradeo, S., Ahamad, M.: One-time cookies: Preventing session hijacking attacks with disposable credentials (2011)
Dacosta, I., Chakradeo, S., Ahamad, M., Traynor, P.: One-time cookies: Preventing session hijacking attacks with stateless authentication tokens. ACM Trans. Internet Technol. (TOIT) 12(1), 1 (2012)
Park, J.S., Sandhu, R.: Secure cookies on the web. IEEE Internet Comput. 4, 36–44 (2000)
Ma, Y.-N., Qian, H.-Y., Sun, Y.-M.: Research on cookie’s application in web authentication. MINIMICRO SYSTEMS-SHENYANG- 25(2), 207–210 (2004)
Kolšek, M.: Session fixation vulnerability in web-based applications. Acros Secur., 7 (2002)
owasp.org. (2012) Network eavesdropping (Online). Available: https://www.owasp.org/index.php/Network_Eavesdropping
Di Lucca, G.A., Fasolino, A.R., Mastoianni, M., Tramontana, P.: Identifying cross site scripting vulnerabilities in web applications. In: 26th Annual International Telecommunications Energy Conference, INTELEC 2004, pp. 71–80 (2004)
Barth, A.: Http state management mechanism (2011)
Acknowledgment
Authors thank Ericsson Ltd. for support via the ELTE CNL collaboration.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Vörös, P., Kiss, A. (2016). TooKie: A New Way to Secure Sessions. In: Król, D., Madeyski, L., Nguyen, N. (eds) Recent Developments in Intelligent Information and Database Systems. Studies in Computational Intelligence, vol 642. Springer, Cham. https://doi.org/10.1007/978-3-319-31277-4_17
Download citation
DOI: https://doi.org/10.1007/978-3-319-31277-4_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-31276-7
Online ISBN: 978-3-319-31277-4
eBook Packages: EngineeringEngineering (R0)