Affiliation:
1. Georgia Institute of Technology
Abstract
HTTP cookies are the de facto mechanism for session authentication in Web applications. However, their inherent security weaknesses allow attacks against the integrity of Web sessions. HTTPS is often recommended to protect cookies, but deploying full HTTPS support can be challenging due to performance and financial concerns, especially for highly distributed applications. Moreover, cookies can be exposed in a variety of ways even when HTTPS is enabled. In this article, we propose
one-time cookies
(OTC), a more robust alternative for session authentication. OTC prevents attacks such as session hijacking by signing each user request with a session secret securely stored in the browser. Unlike other proposed solutions, OTC does not require expensive state synchronization in the Web application, making it easily deployable in highly distributed systems. We implemented OTC as a plug-in for the popular WordPress platform and as an extension for Firefox and Firefox for mobile browsers. Our extensive experimental analysis shows that OTC introduces a latency of less than 6 ms when compared to cookies—a negligible overhead for most Web applications. Moreover, we show that OTC can be combined with HTTPS to effectively add another layer of security to Web applications. In so doing, we demonstrate that one-time cookies can significantly improve the security of Web applications with minimal impact on performance and scalability.
Funder
Division of Computer and Network Systems
Publisher
Association for Computing Machinery (ACM)
Subject
Computer Networks and Communications
Reference55 articles.
1. Beamauth
2. Sessionlock
3. Barth A. 2011. RFC 6265. HTTP state management mechanism. https://tools.ietf.org/html/rfc6265. Barth A. 2011. RFC 6265. HTTP state management mechanism. https://tools.ietf.org/html/rfc6265.
4. Blanchet B. ProVerif: Cryptographic protocol verifier in the formal model. http://www.proverif.ens.fr/. Blanchet B. ProVerif: Cryptographic protocol verifier in the formal model. http://www.proverif.ens.fr/.
Cited by
61 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献