Short: A Lightweight and Secure Session Management Protocol

Secure session management is a challenging problem for Web applications. In fact, three of the ten most critical security risks included in the OWASP top ten 2013 can lead to session hijacking attacks. Best practices advocate the transmission of the session identifiers over HTTPS. However, this approach does not solve the session problems, and can’t be deployed on a wide range of HTTP-only applications. This paper presents a lightweight session management design deployed over HTTP, which allows much of the existing infrastructure of the web to remain unchanged, while at the same time strengthening authentication. Our work leverages the following key insights. (1) Users already have shared secrets with their web applications (e.g. password). (2) HTTPS is primarily used to protect the authentication information. (3) A secure session management should be built on a secure initial mutual authentication. Our proposed protocol guaranties the authenticity, confidentiality, integrity, and anti-reply of authentication credentials.