One-Time Cookies: Preventing Session Hijacking Attacks with Disposable Credentials

View/ Open
Date
2011Author
Dacosta, Italo
Chakradeo, Saurabh
Ahamad, Mustaque
Traynor, Patrick
Metadata
Show full item recordAbstract
Many web applications are vulnerable to session hijacking
attacks due to the insecure use of cookies for
session management. The most recommended defense
against this threat is to completely replace HTTP with
HTTPS. However, this approach presents several challenges
(e.g., performance and compatibility concerns)
and therefore, has not been widely adopted. In this paper,
we propose “One-Time Cookies” (OTC), an HTTP
session authentication protocol that is efficient, easy to
deploy and resistant to session hijacking. OTC’s security
relies on the use of disposable credentials based on
a modified hash chain construction. We implemented
OTC as a plug-in for the popular WordPress platform
and conducted extensive performance analysis using extensions
developed for both Firefox and Firefox for mobile
browsers. Our experiments demonstrate the ability
to maintain session integrity with a throughput improvement
of 51% over HTTPS and a performance approximately
similar to a cookie-based approach. In so doing,
we demonstrate that one-time cookies can significantly
improve the security of web sessions with minimal
changes to current infrastructure.