Title:
One-Time Cookies: Preventing Session Hijacking Attacks with Stateless Authentication Tokens
One-Time Cookies: Preventing Session Hijacking Attacks with Stateless Authentication Tokens
Author(s)
Dacosta, Italo
Chakradeo, Saurabh
Ahamad, Mustaque
Traynor, Patrick
Chakradeo, Saurabh
Ahamad, Mustaque
Traynor, Patrick
Advisor(s)
Editor(s)
Collections
Supplementary to
Permanent Link
Abstract
HTTP cookies are the de facto mechanism for session authentication in web applications. However,
their inherent security weaknesses allow attacks against the integrity of web sessions. HTTPS is often recommended
to protect cookies, but deploying full HTTPS support can be challenging due to performance
and financial concerns, especially for highly distributed applications. Moreover, cookies can be exposed
in a variety of ways even when HTTPS is enabled. In this paper, we propose One-Time Cookies (OTC),
a more robust alternative for session authentication. OTC prevents attacks such as session hijacking by
signing each user request with a session secret securely stored in the browser. Unlike other proposed
solutions, OTC does not require expensive state synchronization in the web application, making it easily
deployable in highly distributed systems. We implemented OTC as a plugin for the popular WordPress
platform and as an extension for Firefox and Firefox for mobile browsers. Our extensive experimental
analysis shows that OTC introduces a latency of less than 6 ms when compared to cookies - a negligible
overhead for most web applications. Moreover, we show that OTC can be combined with HTTPS to
effectively add another layer of security to web applications. In so doing, we demonstrate that One-Time
Cookies can significantly improve the security of web applications with minimal impact on performance
and scalability.
Sponsor
Date Issued
2012-02
Extent
Resource Type
Text
Resource Subtype
Technical Report