Scribd
Upload
0 views

Session Management More

The document discusses session management, highlighting the importance of managing user sessions to avoid constant re-authentication. It covers various methods for storing session tokens, including browser cookies, URL embedding, and hidden form fields, along with their associated problems and security risks. Additionally, it addresses authentication methods like HTTP Basic and Digest authentication, cookie-based solutions, and the concept of Single Sign-On for accessing multiple applications with a single set of credentials.

Uploaded by

22f3000894
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
0 views

Session Management More

The document discusses session management, highlighting the importance of managing user sessions to avoid constant re-authentication. It covers various methods for storing session tokens, including browser cookies, URL embedding, and hidden form fields, along with their associated problems and security risks. Additionally, it addresses authentication methods like HTTP Basic and Digest authentication, cookie-based solutions, and the concept of Single Sign-On for accessing multiple applications with a single set of credentials.

Uploaded by

22f3000894
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 16

SESSION MANAGEMENT

& MORE
Dr. Koyel Datta Gupta
Sessions
A sequence of requests and responses from
one browser to one (or more) sites
Session can be long or short
Without session management:
Users would have to constantly re-authenticate
Session management:
 Authorize user once
All subsequent requests are tied to user
Pre-history: HTTP auth
HTTP auth problems
Hardly used in commercial sites

 What if user has multiple accounts?

Site cannot customize password dialog

Easily spoofed
Session tokens
Storing session tokens:
Browser cookie:
Set-Cookie: SessionToken=fduhye63sfdb

 Embedd in all URL links:


https://site.com/checkout ?

SessionToken=kh7y3b
 In a hidden form field:
<input type=“hidden” name=“sessionid”

value=“kh7y3b”>
PROBLEM
Storing session tokens: problems
 Browser cookie:
browser sends cookie with every request, even
when it should not
Embed in all URL links:
token leaks via HTTP Referer header
 In a hidden form field: short sessions only
Active and Passive Attack
Scenarios
Session Hijacking
Eavesdropping
Session Fixation
Cross-Site Scripting
Exhaustive Search
Intelligent Manipulation of Session Data
Network Manipulation (e.g. change of DNS
entries)
etc.
URL-based Solutions
 The session token is part of the URL and will be transmitted to
the web server through HTTP GET requests
 Example: http://www.blabla.com/buy.asp?
article=27781;sessionid=IE5579901578
 This mechanism works even in case of user client security
restrictions (if, for example, no cookies are allowed). Thus, it
can serve as a fallback mechanism if the server detects
problems with other mechanisms like cookies or JavaScript
Problems:
 All information contained in the URL might be stored in firewall
or proxy log files
 Also, it could simply be printed out with the web page on a
shared printer
 Moreover, the URL, including potentially sensitive data, can be
sent in the HTTP referrer field to other web servers. This
implies a high risk of sensitive session data being disclosed to
Form-based Solutions with Hidden
Fields
 Session token and information can be included in so-called
hidden fields in a form
 The form will be sent by the user client to the server with an
HTTP POST command. This looks like the following example:
<FORM METHOD=POST ACTION=”/cgi-bin/order_goods.pl”>
<INPUT TYPE=”hidden” NAME=”customerid” VALUE=”0815”>
<INPUT TYPE=”hidden” NAME=”valid_order” VALUE=”yes”>
<INPUT TYPE=”hidden” NAME=”productid” VALUE=”4711”>
 As described in the case of URL-encoded session tokens, this
form-based mechanism works even in case of user client
security restrictions (if, for example, no cookies are allowed).
Thus, it can serve as a fallback mechanism if the server detects
problems with other mechanisms like cookies or JavaScript
 The form-based solution does not provide pre-defined
protection mechanisms as those provided by cookies, for
example
 Moreover, the form-based approach requires repeated sending
of HTTP forms via POST commands, which implies a certain
amount of overhead that might reduce performance. Also,
HTTP Basic and/or Digest
Authentication-based Solutions
 In HTTP Basic authentication, the client sends his username
and password in cleartext as part of the HTTP request
 In all subsequent HTTP requests for content from
subdirectories of the original request, these credentials will be
automatically resent
 In HTTP Digest authentication, no passwords are sent in the
clear
 Instead, a cryptographic hash value containing the username,
password, and additional security-relevant data, will be
transmitted from the client to the server (more details can be
found in RFC2617 - HTTP Authentication: Basic and Digest
Access Authentication, June 1999)
Problems:
 HTTP Basic authentication is vulnerable to passive
eavesdropping. Moreover, it provides no mechanism for
explicit session expiration (i.e. logout)
 HTTP Digest authentication cannot guarantee sufficient
support on all client platforms
Cookie-based Solutions
 Cookies are a simple session management mechanism

 Cookies have been designed to track status information

about user visits on web servers (who requested which


pages at what time)
 Originally, nobody intended to use cookies for
authentication purposes
 Nevertheless, a large quantity of web applications today

uses cookies for user authentication and authorization


 Cookies are normally sent from the web server to the

client using two different methods: either within HTTP


USER AUTHENTICATION
Single Sign-On
This is a session/user authentication process

that permits a user to enter one name and


password in order to access multiple
applications.
Applications should trust a central authority.

You might also like