(Georgia Institute of Technology, 2012-02)
Dacosta, Italo; Chakradeo, Saurabh; Ahamad, Mustaque; Traynor, Patrick
HTTP cookies are the de facto mechanism for session authentication in web applications. However,
their inherent security weaknesses allow attacks against the integrity of web sessions. HTTPS is often recommended
to protect cookies, but deploying full HTTPS support can be challenging due to performance
and financial concerns, especially for highly distributed applications. Moreover, cookies can be exposed
in a variety of ways even when HTTPS is enabled. In this paper, we propose One-Time Cookies (OTC),
a more robust alternative for session authentication. OTC prevents attacks such as session hijacking by
signing each user request with a session secret securely stored in the browser. Unlike other proposed
solutions, OTC does not require expensive state synchronization in the web application, making it easily
deployable in highly distributed systems. We implemented OTC as a plugin for the popular WordPress
platform and as an extension for Firefox and Firefox for mobile browsers. Our extensive experimental
analysis shows that OTC introduces a latency of less than 6 ms when compared to cookies - a negligible
overhead for most web applications. Moreover, we show that OTC can be combined with HTTPS to
effectively add another layer of security to web applications. In so doing, we demonstrate that One-Time
Cookies can significantly improve the security of web applications with minimal impact on performance
and scalability.
(Georgia Institute of Technology, 2011)
Dacosta, Italo; Chakradeo, Saurabh; Ahamad, Mustaque; Traynor, Patrick
Many web applications are vulnerable to session hijacking
attacks due to the insecure use of cookies for
session management. The most recommended defense
against this threat is to completely replace HTTP with
HTTPS. However, this approach presents several challenges
(e.g., performance and compatibility concerns)
and therefore, has not been widely adopted. In this paper,
we propose “One-Time Cookies” (OTC), an HTTP
session authentication protocol that is efficient, easy to
deploy and resistant to session hijacking. OTC’s security
relies on the use of disposable credentials based on
a modified hash chain construction. We implemented
OTC as a plug-in for the popular WordPress platform
and conducted extensive performance analysis using extensions
developed for both Firefox and Firefox for mobile
browsers. Our experiments demonstrate the ability
to maintain session integrity with a throughput improvement
of 51% over HTTPS and a performance approximately
similar to a cookie-based approach. In so doing,
we demonstrate that one-time cookies can significantly
improve the security of web sessions with minimal
changes to current infrastructure.