Abstract
HTTP cookies are the de facto mechanism for session authentication in Web applications. However, their inherent security weaknesses allow attacks against the integrity of Web sessions. HTTPS is often recommended to protect cookies, but deploying full HTTPS support can be challenging due to performance and financial concerns, especially for highly distributed applications. Moreover, cookies can be exposed in a variety of ways even when HTTPS is enabled. In this article, we propose one-time cookies (OTC), a more robust alternative for session authentication. OTC prevents attacks such as session hijacking by signing each user request with a session secret securely stored in the browser. Unlike other proposed solutions, OTC does not require expensive state synchronization in the Web application, making it easily deployable in highly distributed systems. We implemented OTC as a plug-in for the popular WordPress platform and as an extension for Firefox and Firefox for mobile browsers. Our extensive experimental analysis shows that OTC introduces a latency of less than 6 ms when compared to cookies—a negligible overhead for most Web applications. Moreover, we show that OTC can be combined with HTTPS to effectively add another layer of security to Web applications. In so doing, we demonstrate that one-time cookies can significantly improve the security of Web applications with minimal impact on performance and scalability.
- Adida, B. 2007. Beamauth: Two-factor Web authentication with a bookmark. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). ACM, New York. Google ScholarDigital Library
- Adida, B. 2008. Sessionlock: Securing Web sessions against eavesdropping. In Proceedings of the ACM International Conference on World Wide Web (WWW). ACM, New York. Google ScholarDigital Library
- Barth, A. 2011. RFC 6265. HTTP state management mechanism. https://tools.ietf.org/html/rfc6265.Google Scholar
- Blanchet, B. ProVerif: Cryptographic protocol verifier in the formal model. http://www.proverif.ens.fr/.Google Scholar
- Blanchet, B. 2001. An efficient cryptographic protocol verifier based on Prolog rules. In Proceedings of the IEEE Workshop on Computer Security Foundations (CSFW). IEEE, Los Alamitos, CA. Google ScholarDigital Library
- Blundo, C., Cimato, S., and Prisco, R. D. 2005. A lightweight approach to authenticated Web caching. In Proceedings of the Symposium on Applications and the Internet. Google ScholarDigital Library
- Bortz, A., Barth, A., and Czeskis, A. 2011. Origin cookies: Session integrity for Web applications. In Proceedings of the Web 2.0 Security and Privacy Workshop (W2SP).Google Scholar
- BUDDYPRESS. BuddyPress.org. http://buddypress.org/.Google Scholar
- Butler, E. Firesheep. http://codebutler.com/firesheep.Google Scholar
- Chan, M. 2011. China and Google: A detailed look. http://blogs.aljazeera.net/asia/2011/03/23/china-and-google-detailed-look.Google Scholar
- Chen, S., Mao, Z., Wang, Y.-M., and Zhang, M. 2009. Pretty-bad-proxy: An overlooked adversary in Browsers' HTTPS deployments. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA. Google ScholarDigital Library
- Choi, T. and Gouda, M. G. 2011. HTTPI: An HTTP with integrity. In Proceedings of the International Conference on Computer Communications and Networks (ICCCN).Google Scholar
- Close, T. 1999. Waterken server: Capability-based security for the Web. http://waterken.sourceforge.net/.Google Scholar
- Coarfa, C., Druschel, P., and Wallach, D. S. 2006. Performance analysis of TLS Web servers. ACM Trans. Comput. Syst. 24, 1. Google ScholarDigital Library
- COMSCORE. 2011. Smartphones and tablets drive nearly 7 percent of total U.S. digital Traffic. http://www.comscore.com/Press_Events/Press_Releases/2011/10/Smartphones_and_Tabets_Drive_Nearly _7_Percent_of_Total_U.S._Digital_Traffic.Google Scholar
- Constantin, L. 2010. XSS Attack on Twitter subdomain allowed for complete session hijacking. http://news.softpedia.com/news/XSS-Attack-on-Twitter-Subdomain-Allowed-Full-Session-Hijacking-148240.shtml.Google Scholar
- Cross, T. 2009. Stealing cookies with SSL renegotiation. http://blogs.iss.net/archive/stealingcookieswiths. html.Google Scholar
- Dolev, D. and Yao, A. 1983. On the security of public key protocols. IEEE Trans. Inf. Theor. 29, 2, 198--208. Google ScholarDigital Library
- Electronic Frontier Foundation. HTTPS everywhere. https://www.eff.org/https-everywhere.Google Scholar
- Elizabeth Woyke. 2011. Automatic Wi-Fi offloading coming to U.S. carriers. http://www.forbes.com/sites/elizabethwoyke/2011/04/22/automatic-wi-fi-offloading-coming-to-u-s-carriers/.Google Scholar
- Fielding, R. T. 2000. Architectural styles and the design of network-based software architectures. Ph.D. dissertation, University of California, Irvine. Google ScholarDigital Library
- FIREBUG. Firebug: Web development evolved. https://getfirebug.com/.Google Scholar
- Fu, K., Sit, E., Smith, K., and Feamster, N. 2001. Dos and don'ts of client authentication on the Web. In Proceedings of the USENIX Security Symposium. Google ScholarDigital Library
- Galperin, E. 2011. Microsoft shuts off HTTPS in Hotmail for over a dozen countries. https://www.eff.org/deeplinks/2011/03/microsoft-shuts-https-hotmail-over-dozen-countries.Google Scholar
- Goodin, D. 2009. Newfangled cookie attack steals/poisons website creds. http://www.theregister.co.uk/2009/11/04/website_cookie_stealing/print.html.Google Scholar
- Goodin, D. 2010. Hotmail always-on crypto breaks Microsoft's own apps. http://www.theregister.co.uk/2010/11/10/lame_hotmail_encryption/.Google Scholar
- Graham, R. 2007. SideJacking with Hamster. http://erratasec.blogspot.com/2007/08/sidejacking-with-hamster_05.html.Google Scholar
- Grossman, J. 2003. Cross-site tracing (XST). http://www.cgisecurity.com/whitehatmirror/WhitePaper screen.pdf.Google Scholar
- Hodges, J., Jackson, C., and Barth, A. 2010. HTTP strict transport security (HSTS). http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02.Google Scholar
- Jackson, C. and Barth, A. 2008. Forcehttps: Protecting high-security Web sites from network attacks. In Proceeding of the ACM International Conference on the World Wide Web (WWW). ACM, New York. Google ScholarDigital Library
- Jehiah. 2006. XSS - Stealing cookies 101. http://jehiah.cz/a/xss-stealing-cookies-101.Google Scholar
- Juels, A., Jakobsson, M., and Jagatic, T. 2006. Cache cookies for browser authentication (extended abstract). In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA. Google ScholarDigital Library
- Koch, A. 2011. DroidSheep. http://droidsheep.de/.Google Scholar
- Kolsek, M. 2007. Session fixation vulnerability in Web-based applications. http://www.acrossecurity.com/papers/session_fixation.pdf.Google Scholar
- Kristol, D. and Montulli, L. 1997. RFC 2109 - HTTP state management mechanism. http://tools.ietf.org/html/rfc2109. Google ScholarDigital Library
- Kristol, D. and Montulli, L. 2000. RFC 2965 - HTTP state management mechanism. Google ScholarDigital Library
- Leyden, J. 2011. AmEx “debug mode left site wide open,” says hacker. http://www.theregister.co.uk/.2011/10/07/amex_website_security_snafu/print.html.Google Scholar
- Liu, A., Kovacs, J., and Gouda, M. 2005. A secure cookie protocol. In Proceedings of the International Conference on Computer Communications and Networks (ICCCN).Google Scholar
- Mitchell, S. 2004. Understanding ASP.NET view state. http://msdn.microsoft.com/en-us/library/ms 972976.aspx.Google Scholar
- Mosberger, D. and Jin, T. 1998. httperf - A tool for measuring Web server performance. ACM SIGMETRICS Perform. Eval. Rev. 26, 3, 31--37. Google ScholarDigital Library
- M'raihi, D., Bellare, M., Hoornaert, F., Naccache, D., and Ranen, O. 2005. RFC 4226 - HOTP: An HMAC-based one-time password algorithm. http://tools.ietf.org/html/rfc4226.Google ScholarCross Ref
- Neuman, C., Yu, T., Hartman, S., and Raeburn, K. 2005. RFC 4120 - The Kerberos network authentication service (V5). http://tools.ietf.org/html/rfc4120.Google Scholar
- Park, J. S. and Sandhu, R. 2000. Secure cookies on the Web. IEEE Internet Comput. 4, 36--44. Google ScholarDigital Library
- Ponurkiewicz, B. 2011. FaceNiff. http://faceniff.ponury.net/.Google Scholar
- Prandini, M., Ramilli, M., Cerroni, W., And Callegati, F. 2010. Splitting the HTTPS stream to attack secure Web connections. IEEE Security Privacy 8, 80--84. Google ScholarDigital Library
- Prince, B. 2010. Google moves encrypted Web search. http://www.eweek.com/c/a/Security/Google-Moves-Encrypted-Web-Search-668624/.Google Scholar
- Reis, C., Gribble, S. D., Kohno, T., and Weaver, N. C. 2008. Detecting in-flight page changes with Web tripwires. In Proceedings of the USENIX Symposium on Network Systems Design and Implementation (NSDI). Google ScholarDigital Library
- Rodriguez, A. 2008. RESTful Web services: The basics. https://www.ibm.com/developerworks/webservices/library/ws-restful/.Google Scholar
- Schechter, S. E., Dhamija, R., Ozment, A., and Fischer, I. 2007. The emperor's new security indicators. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA. Google ScholarDigital Library
- Schneier, B. 2011. Man-in-the-middle attack against SSL 3.0/TLS 1.0. https://www.schneier.com/blog/archives/2011/09/man-in-the-midd_4.html.Google Scholar
- Siegler, M. 2010. China syndrome: Gmail now defaults to encrypted access. http://techcrunch.com/2010/01/13/china-hacking-gmail-secure/.the open web application security project (OWASP). 2010. OWASP Top Ten Project. http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project.Google Scholar
- Visaggio, C. 2010. Session management vulnerabilities in today's Web. IEEE Security Privacy 8, 48--56. Google ScholarDigital Library
- WORDPRESS. WordPress: Blog tool, publishing platform, and CMS. http://wordpress.org/.Google Scholar
- Zalewski, M. 2008. Browser Security Handbook. http://code.google.com/p/browsersec/wiki/Part2.Google Scholar
- Zhou, Y. and Evans, D. 2010. Why aren't HTTP-only cookies more widely deployed? In Proceedings of the Web 2.0 Security and Privacy Workshop (W2SP).Google Scholar
Index Terms
- One-time cookies: Preventing session hijacking attacks with stateless authentication tokens
Recommendations
Surviving the Web: A Journey into Web Session Security
In this article, we survey the most common attacks against web sessions, that is, attacks that target honest web browser users establishing an authenticated session with a trusted web application. We then review existing security solutions that prevent ...
Half-Baked Cookies: Hardening Cookie-Based Authentication for the Modern Web
ASIA CCS '16: Proceedings of the 11th ACM on Asia Conference on Computer and Communications SecurityModern websites use multiple authentication cookies to allow visitors to the site different levels of access. The complexity of modern web applications can make it difficult for a web application programmer to ensure that the use of authentication ...
SessionShield: lightweight protection against session hijacking
ESSoS'11: Proceedings of the Third international conference on Engineering secure software and systemsThe class of Cross-site Scripting (XSS) vulnerabilities is the most prevalent security problem in the field of Web applications. One of the main attack vectors used in connection with XSS is session hijacking via session identifier theft. While session ...
Comments