Online citations, reference lists, and bibliographies.

Sessionlock: Securing Web Sessions Against Eavesdropping

B. Adida
Published 2008 · Computer Science

Cite This
Download PDF
Analyze on Scholarcy
Share
Typical web sessions can be hijacked easily by a network eavesdropper in attacks that have come to be designated "sidejacking." The rise of ubiquitous wireless networks, often unprotected at the transport layer, has significantly aggravated this problem. While SSL can protect against eavesdropping, its usability disadvantages often make it unsuitable when the data is not considered highly confidential. Most web-based email services, for example, use SSL only on their login page and are thus vulnerable to sidejacking. We propose SessionLock, a simple approach to securing web sessions against eavesdropping without extending the use of SSL. SessionLock is easily implemented by web developers using only JavaScript and simple server-side logic. Its performance impact is negligible, and all major web browsers are supported. Interestingly, it is particularly easy to implement on single-page AJAX web applications, e.g. Gmail or Yahoo mail, with approximately 200 lines of JavaScript and 60 lines of server-side verification code.
This paper references
HELLMAN "New Directions in Cryptography
W. Diffie (1976)
Jagatic . Cache cookies for browser authentication ( extended abstract )
Ari Juels (2006)
Hypertext Transport Protocol HTTP/1.1
Jim Gettys (2001)
Sidejacking with Hamster, August 2007. http://erratasec.blogspot.com/2007/08/ sidejacking-with-hamster_05.html
Robert Graham (2007)
HTTP Authentication Woes
Bill Venners (2006)
Message Authentication Code
10.17487/RFC4366
Transport Layer Security (TLS) Extensions
S. Blake-Wilson (2006)
10.17487/RFC2104
HMAC: Keyed-Hashing for Message Authentication
H. Krawczyk (1997)
10.1145/1242572.1242655
Subspace: secure cross-domain communication for web mashups
C. Jackson (2007)
Html 5
Ian Hickson
Meyer . S 5 : A Simple Standards - Based Slide Show System
A. Eric (2006)
10.1109/SP.2006.8
Cache cookies for browser authentication
A. Juels (2006)
10.1109/TIT.1976.1055638
New directions in cryptography
W. Diffie (1976)
Sidejacking with Hamster
Robert Graham (2007)
Ajax: A New Approach to Web Applications
Jesse James Garrett (2007)
Uniform Resource Identifier (URI): Generic Syntax
T. B. Lee (2004)
S5: A Simple Standards - Based Slide Show System
E. Meyer (2006)
10.1007/11535218_2
Finding Collisions in the Full SHA-1
Xiaoyun Wang (2005)
10.1145/1315245.1315253
Beamauth: two-factor web authentication with a bookmark
B. Adida (2007)
10.17487/RFC2617
HTTP Authentication: Basic and Digest Access Authentication
J. Franks (1999)
A JavaScript implementation of the Secure Hash Algorithm
Paul Johnston.



This paper is referenced by
10.1007/s00500-019-04138-5
On one-time cookies protocol based on one-time password
Junhui He (2020)
Simple But Not Secure : An Empirical Security Analysis of OAuth 2 . 0-Based Single Sign-On Systems
San-Tsai Sun (2012)
10.1109/Trustcom.2015.536
ARP Cache Poisoning Mitigation and Forensics Investigation
Heman Awang Mangut (2015)
A Survey on Session Management Vulnerabilities in Web Application
Namitha P (2018)
10.1007/978-3-319-07941-7_28
Applications of QR Codes in Secure Mobile Data Exchange
A. Hlobaz (2014)
Eradicating Bearer Tokens for Session Management
P. D. Ryck (2014)
Convenient decentralized authentication using passwords
Kent E. Seamons (2010)
10.1145/2465106.2465432
GlassTube: a lightweight approach to web application integrity
Per A. Hallgren (2013)
10.1145/2420950.2420977
BetterAuth: web authentication revisited
Martin Johns (2012)
10.1007/978-3-642-15257-3_8
Who on Earth Is "Mr. Cypher": Automated Friend Injection Attacks on Social Networking Sites
M. Huber (2010)
Detection of session hijacking
J. Louis (2011)
MITM Attack Detection on Computing Networks
Xiaohua Feng (2013)
10.2478/cait-2014-0032
A Prevention Model for Session Hijack Attacks in Wireless Networks Using Strong and Encrypted Session ID
Siyamalan Manivannan (2014)
10.1007/s12083-019-00739-x
P2P networking based internet of things (IoT) sensor node authentication by Blockchain
Sunghyuck Hong (2020)
Deliverable D 1 . 1 Web-platform security guide : Security assessment of the Web ecosystem
P. D. Ryck (2013)
10.1109/TDSC.2015.2465965
SPE: Security and Privacy Enhancement Framework for Mobile Devices
Brian Krupp (2017)
One-Time Cookies: Preventing Session Hijacking Attacks with Disposable Credentials
Italo Dacosta (2011)
10.1145/2664243.2664261
Network dialog minimization and network dialog diffing: two novel primitives for network security applications
M. Zubair Rafique (2014)
Improved Internet Security Protocols Using Cryptographic One-Way Hash Chains
Amerah Alabrah (2014)
MODELING AND ANALYZING WEB PROTOCOLS FOR TRUST AND SECRECY
A. Kumar (2012)
Enforcing Session Integrity in the World "Wild" Web
Mauro Tempesta (2015)
10.1109/ICDCSW.2013.6
A Framework for Enhancing Security and Privacy on Unmodified Mobile Operating Systems
Brian Krupp (2013)
Improving the security of session management in web applications
Philippe De Ryck (2013)
10.1016/j.cose.2012.02.005
Systematically breaking and fixing OpenID security: Formal analysis, semi-automated empirical evaluation, and practical countermeasures
San-Tsai Sun (2012)
Web Session Security: Formal Verification, Client-Side Enforcement and Experimental Analysis
Wilayat Khan (2015)
10.1145/2220352.2220353
One-time cookies: Preventing session hijacking attacks with stateless authentication tokens
Italo Dacosta (2012)
10.1007/978-3-319-12226-7_7
Attacks on the User’s Session
Philippe De Ryck (2014)
New Method for Public Key Distribution Based on Social Networks
Krzysztof Podlaski (2015)
Simple, Secure, Selective Delegation in Online Identify Systems
Bryant Cutler (2008)
Fast and Efficient Browser Identification with JavaScript Engine Fingerprinting Technical Report TR-SBA-Research-0512-01
M. Mulazzani (2012)
A Lightweight Approach to Web Application Integrity
Per A. Hallgren (2013)
10.1007/978-3-319-64701-2_52
Tor De-anonymisation Techniques
Juha Nurmi (2017)
See more
Semantic Scholar Logo Some data provided by SemanticScholar