Abstract
Stateless session cookies allow web applications to alter their behaviour based on user preferences and access rights, without maintaining server-side state for each session. This is desirable because it reduces the impact of denial of service attacks and eases database replication issues in load-balanced environments. The security of existing session cookie proposals depends on the server protecting the secrecy of a symmetric MAC key, which for engineering reasons is usually stored in a database, and thus at risk of accidental leakage or disclosure via application vulnerabilities. In this paper we show that by including a salted iterated hash of the user password in the database, and its pre-image in a session cookie, an attacker with read access to the server is unable to spoof an authenticated session. Even with knowledge of the server’s MAC key the attacker needs a user’s password, which is not stored on the server, to create a valid cookie. By extending an existing session cookie scheme, we maintain all the previous security guarantees, but also preserve security under partial compromise.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: Hypertext Transfer Protocol – HTTP/1.1. RFC 2616, IETF (1999)
Rescorla, E.: HTTP over TLS. RFC 2818, IETF (2000)
Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) protocol version 1.1. RFC 4346, IETF (2006)
JTC 1/SC 32: Information technology – database languages – SQL. ISO/IEC 9075:2006 (2003)
Oechslin, P.: Making a faster cryptanalytic time-memory trade-off. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 617–630. Springer, Heidelberg (2003)
Morris, R., Thompson, K.: Password security: a case history. Communications of the ACM 22, 594–597 (1979)
Kristol, D., Montulli, L.: HTTP state management mechanism. RFC 2109, IETF (1997)
von Ahn, L., Blum, M., Hopper, N.J., Langford, J.: CAPTCHA: Using hard AI problems for security. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 294–311. Springer, Heidelberg (2003)
Fisk, H.: Prepared statements. MySQL Developer Zone (2004), http://dev.mysql.com/tech-resources/articles/4.1/prepared-statements.html
Fu, K., Sit, E., Smith, K., Feamster, N.: Dos and don’ts of client authentication on the web. In: Proceedings of the 10th USENIX Security Symposium, Washington D.C., US (2001)
Murdoch, S.J.: Wordpress cookie authentication vulnerability CVE-2007-6013 (candidate) (2007), http://www.cl.cam.ac.uk/~sjm217/advisories/wordpress-cookie-auth.txt
Liu, A.X., Kovacs, J.M., Huang, C.T., Gouda, M.G.: A secure cookie protocol. In: Proceedings of the 14th IEEE International Conference on Computer Communications and Networks, pp. 333–338 (2005)
Solar Designer: Portable PHP password hashing framework (2006), http://www.openwall.com/phpass/
CERT Coordination Center: Malicious HTML tags embedded in client web requests. Advisory CA-2000-02, CERT/CC (2000), http://www.cert.org/advisories/CA-2000-02.html
Provos, N., Mazières, D.: A future-adaptable password scheme. In: USENIX Annual Technical Conference, Monterey, California, US, pp. 81–92 (1999)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Murdoch, S.J. (2011). Hardened Stateless Session Cookies. In: Christianson, B., Malcolm, J.A., Matyas, V., Roe, M. (eds) Security Protocols XVI. Security Protocols 2008. Lecture Notes in Computer Science, vol 6615. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-22137-8_13
Download citation
DOI: https://doi.org/10.1007/978-3-642-22137-8_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-22136-1
Online ISBN: 978-3-642-22137-8
eBook Packages: Computer ScienceComputer Science (R0)