Show simple item record

dc.contributor.authorDacosta, Italo
dc.contributor.authorChakradeo, Saurabh
dc.contributor.authorAhamad, Mustaque
dc.contributor.authorTraynor, Patrick
dc.date.accessioned2012-02-10T20:49:37Z
dc.date.available2012-02-10T20:49:37Z
dc.date.issued2012-02
dc.identifier.urihttp://hdl.handle.net/1853/42609
dc.descriptionResearch area: Information Security and Cryptography, Networking and Communications
dc.descriptionResearch topic: Internet Security, Network Security
dc.description.abstractHTTP cookies are the de facto mechanism for session authentication in web applications. However, their inherent security weaknesses allow attacks against the integrity of web sessions. HTTPS is often recommended to protect cookies, but deploying full HTTPS support can be challenging due to performance and financial concerns, especially for highly distributed applications. Moreover, cookies can be exposed in a variety of ways even when HTTPS is enabled. In this paper, we propose One-Time Cookies (OTC), a more robust alternative for session authentication. OTC prevents attacks such as session hijacking by signing each user request with a session secret securely stored in the browser. Unlike other proposed solutions, OTC does not require expensive state synchronization in the web application, making it easily deployable in highly distributed systems. We implemented OTC as a plugin for the popular WordPress platform and as an extension for Firefox and Firefox for mobile browsers. Our extensive experimental analysis shows that OTC introduces a latency of less than 6 ms when compared to cookies - a negligible overhead for most web applications. Moreover, we show that OTC can be combined with HTTPS to effectively add another layer of security to web applications. In so doing, we demonstrate that One-Time Cookies can significantly improve the security of web applications with minimal impact on performance and scalability.en_US
dc.language.isoen_USen_US
dc.publisherGeorgia Institute of Technologyen_US
dc.relation.ispartofseriesSCS Technical Report ; GT-CS-12-02en_US
dc.subjectCookiesen_US
dc.subjectHash chainen_US
dc.subjectInformation Securityen_US
dc.subjectOne-Time Cookiesen_US
dc.subjectState synchronizationen_US
dc.subjectWeb applicationsen_US
dc.subjectWeb session authenticationen_US
dc.titleOne-Time Cookies: Preventing Session Hijacking Attacks with Stateless Authentication Tokensen_US
dc.typeTechnical Reporten_US
dc.contributor.corporatenameGeorgia Institute of Technology. College of Computing
dc.contributor.corporatenameGeorgia Institute of Technology. School of Computer Science


Files in this item

Thumbnail

This item appears in the following Collection(s)

Show simple item record