Online citations, reference lists, and bibliographies.

Sessionlock: Securing Web Sessions Against Eavesdropping

B. Adida
Published 2008 · Computer Science

Cite This
Download PDF
Analyze on Scholarcy
Typical web sessions can be hijacked easily by a network eavesdropper in attacks that have come to be designated "sidejacking." The rise of ubiquitous wireless networks, often unprotected at the transport layer, has significantly aggravated this problem. While SSL can protect against eavesdropping, its usability disadvantages often make it unsuitable when the data is not considered highly confidential. Most web-based email services, for example, use SSL only on their login page and are thus vulnerable to sidejacking. We propose SessionLock, a simple approach to securing web sessions against eavesdropping without extending the use of SSL. SessionLock is easily implemented by web developers using only JavaScript and simple server-side logic. Its performance impact is negligible, and all major web browsers are supported. Interestingly, it is particularly easy to implement on single-page AJAX web applications, e.g. Gmail or Yahoo mail, with approximately 200 lines of JavaScript and 60 lines of server-side verification code.
This paper references
HELLMAN "New Directions in Cryptography
W. Diffie (1976)
Jagatic . Cache cookies for browser authentication ( extended abstract )
Ari Juels (2006)
Hypertext Transport Protocol HTTP/1.1
Jim Gettys (2001)
Sidejacking with Hamster, August 2007. sidejacking-with-hamster_05.html
Robert Graham (2007)
HTTP Authentication Woes
Bill Venners (2006)
Message Authentication Code
Transport Layer Security (TLS) Extensions
S. Blake-Wilson (2006)
HMAC: Keyed-Hashing for Message Authentication
H. Krawczyk (1997)
Subspace: secure cross-domain communication for web mashups
C. Jackson (2007)
Html 5
Ian Hickson
Meyer . S 5 : A Simple Standards - Based Slide Show System
A. Eric (2006)
Cache cookies for browser authentication
A. Juels (2006)
New directions in cryptography
W. Diffie (1976)
Sidejacking with Hamster
Robert Graham (2007)
Ajax: A New Approach to Web Applications
Jesse James Garrett (2007)
Uniform Resource Identifier (URI): Generic Syntax
T. B. Lee (2004)
S5: A Simple Standards - Based Slide Show System
E. Meyer (2006)
Finding Collisions in the Full SHA-1
Xiaoyun Wang (2005)
Beamauth: two-factor web authentication with a bookmark
B. Adida (2007)
HTTP Authentication: Basic and Digest Access Authentication
J. Franks (1999)
A JavaScript implementation of the Secure Hash Algorithm
Paul Johnston.

This paper is referenced by
On one-time cookies protocol based on one-time password
Junhui He (2020)
Simple But Not Secure : An Empirical Security Analysis of OAuth 2 . 0-Based Single Sign-On Systems
San-Tsai Sun (2012)
ARP Cache Poisoning Mitigation and Forensics Investigation
Heman Awang Mangut (2015)
A Survey on Session Management Vulnerabilities in Web Application
Namitha P (2018)
Applications of QR Codes in Secure Mobile Data Exchange
A. Hlobaz (2014)
Eradicating Bearer Tokens for Session Management
P. D. Ryck (2014)
Convenient decentralized authentication using passwords
Kent E. Seamons (2010)
GlassTube: a lightweight approach to web application integrity
Per A. Hallgren (2013)
BetterAuth: web authentication revisited
Martin Johns (2012)
Who on Earth Is "Mr. Cypher": Automated Friend Injection Attacks on Social Networking Sites
M. Huber (2010)
Detection of session hijacking
J. Louis (2011)
MITM Attack Detection on Computing Networks
Xiaohua Feng (2013)
A Prevention Model for Session Hijack Attacks in Wireless Networks Using Strong and Encrypted Session ID
Siyamalan Manivannan (2014)
P2P networking based internet of things (IoT) sensor node authentication by Blockchain
Sunghyuck Hong (2020)
Deliverable D 1 . 1 Web-platform security guide : Security assessment of the Web ecosystem
P. D. Ryck (2013)
SPE: Security and Privacy Enhancement Framework for Mobile Devices
Brian Krupp (2017)
One-Time Cookies: Preventing Session Hijacking Attacks with Disposable Credentials
Italo Dacosta (2011)
Network dialog minimization and network dialog diffing: two novel primitives for network security applications
M. Zubair Rafique (2014)
Improved Internet Security Protocols Using Cryptographic One-Way Hash Chains
Amerah Alabrah (2014)
A. Kumar (2012)
Enforcing Session Integrity in the World "Wild" Web
Mauro Tempesta (2015)
A Framework for Enhancing Security and Privacy on Unmodified Mobile Operating Systems
Brian Krupp (2013)
Improving the security of session management in web applications
Philippe De Ryck (2013)
Systematically breaking and fixing OpenID security: Formal analysis, semi-automated empirical evaluation, and practical countermeasures
San-Tsai Sun (2012)
Web Session Security: Formal Verification, Client-Side Enforcement and Experimental Analysis
Wilayat Khan (2015)
One-time cookies: Preventing session hijacking attacks with stateless authentication tokens
Italo Dacosta (2012)
Attacks on the User’s Session
Philippe De Ryck (2014)
New Method for Public Key Distribution Based on Social Networks
Krzysztof Podlaski (2015)
Simple, Secure, Selective Delegation in Online Identify Systems
Bryant Cutler (2008)
Fast and Efficient Browser Identification with JavaScript Engine Fingerprinting Technical Report TR-SBA-Research-0512-01
M. Mulazzani (2012)
A Lightweight Approach to Web Application Integrity
Per A. Hallgren (2013)
Tor De-anonymisation Techniques
Juha Nurmi (2017)
See more
Semantic Scholar Logo Some data provided by SemanticScholar