Nytro Posted October 1, 2013 Report Posted October 1, 2013 One-Time Cookies: Preventing Session Hijacking Attacks with Stateless Authentication TokensItalo Dacosta, Saurabh Chakradeo, Mustaque Ahamad and Patrick TraynorConverging Infrastructure Security (CISEC) LaboratoryGeorgia Institute of Technology{idacosta@, schakradeo@, mustaq@cc., traynor@cc.}gatech.eduAbstractHTTP cookies are the de facto mechanism for session authentication in web applications. However,their inherent security weaknesses allow attacks against the integrity of web sessions. HTTPS is often recommendedto protect cookies, but deploying full HTTPS support can be challenging due to performanceand financial concerns, especially for highly distributed applications. Moreover, cookies can be exposedin a variety of ways even when HTTPS is enabled. In this paper, we propose One-Time Cookies (OTC),a more robust alternative for session authentication. OTC prevents attacks such as session hijacking bysigning each user request with a session secret securely stored in the browser. Unlike other proposedsolutions, OTC does not require expensive state synchronization in the web application, making it easilydeployable in highly distributed systems. We implemented OTC as a plugin for the popular WordPressplatform and as an extension for Firefox and Firefox for mobile browsers. Our extensive experimentalanalysis shows that OTC introduces a latency of less than 6 ms when compared to cookies - a negligibleoverhead for most web applications. Moreover, we show that OTC can be combined with HTTPS toeffectively add another layer of security to web applications. In so doing, we demonstrate that One-TimeCookies can significantly improve the security of web applications with minimal impact on performanceand scalability.Download:https://smartech.gatech.edu/jspui/bitstream/1853/42609/1/GT-CS-12-02.pdf Quote
