Presentation is loading. Please wait.

Presentation is loading. Please wait.

Session Management Tyler Moore CS7403 University of Tulsa Slides adapted in part or whole from Dan Boneh, Stanford CS155 1.

Published byEthan Singleton Modified over 8 years ago

Similar presentations

Presentation on theme: "Session Management Tyler Moore CS7403 University of Tulsa Slides adapted in part or whole from Dan Boneh, Stanford CS155 1."— Presentation transcript:

1 Session Management Tyler Moore CS7403 University of Tulsa Slides adapted in part or whole from Dan Boneh, Stanford CS155 1

2 Sessions A sequence of requests and responses from one browser to one (or more) sites – Session can be long (e.g. Gmail) or short – without session mgmt: users would have to constantly re-authenticate Session mgmt: authorize user once; – All subsequent requests are tied to user 2

3 Pre-history: HTTP auth HTTP request:GET /index.html HTTP response contains: WWW-Authenticate: Basic realm="Password Required“ Browsers sends hashed password on all subsequent HTTP requests: Authorization: Basic ZGFddfibzsdfgkjheczI1NXRleHQ= 3

4 HTTP auth problems Hardly used in commercial sites: User cannot log out other than by closing browser – What if user has multiple accounts? multiple users on same machine? Site cannot customize password dialog Confusing dialog to users Easily spoofed 4

5 Session tokens Browser GET /index.html set anonymous session token GET /books.html anonymous session token POST /do-login Username & password elevate to a logged-in session token POST /checkout logged-in session token check credentials (crypto) Validate token web site 5

6 Storing session tokens: Lots of options (but none are perfect) Browser cookie: Set-Cookie: SessionToken=fduhye63sfdb Embed in all URL links: https://site.com/checkout ? SessionToken=kh7y3b In a hidden form field: 6

7 Storing session tokens: problems Browser cookie: browser sends cookie with every request, even when it should not (CSRF) Embed in all URL links: token leaks via HTTP Referer header (or if user posts URL in a public blog) In a hidden form field: does not work for long- lived session Best answer: a combination of all of the above 7

8 The HTTP referer header Referer leaks URL session token to 3 rd parties Referer supression: not sent when HTTPS site refers to an HTTP site in HTML5: 8

9 The Logout Process Web sites must provide a logout function: Functionality: let user to login as different user Security: prevent others from abusing account What happens during logout: 1. Delete SessionToken from client 2. Mark session token as expired on server Problem: many web sites do (1) but not (2) !! ⇒ Especially risky for sites who fall back to HTTP after login 9

10 Session hijacking

11 Attacker waits for user to login then attacker steals user’s Session Token and “hijacks” session ⇒ attacker can issue arbitrary requests on behalf of user Example: FireSheep [2010] Firefox extension that hijacks Facebook session tokens over WiFi. Solution: HTTPS after login 11

12 Beware: Predictable tokens Example 1: counter  user logs in, gets counter value, can view sessions of other users Example 2: weak MAC. token = { userid, MAC k (userid) } Weak MAC exposes k from few cookies. Apache Tomcat: generateSessionId() Returns random session ID [server retrieves client state based on sess-id] 12

13 Session tokens must be unpredictable to attacker To generate: use underlying framework (e.g. ASP, Tomcat, Rails) Rails: token = MD5( current time, random nonce ) 13

14 Beware: Session token theft Example 1: login over HTTPS, but subsequent HTTP Enables cookie theft at wireless Café (e.g. Firesheep) Other ways network attacker can steal token: – Site has mixed HTTPS/HTTP pages ⇒ token sent over HTTP – Man-in-the-middle attacks on SSL Example 2: Cross Site Scripting (XSS) exploits Amplified by poor logout procedures: – Logout must invalidate token on server 14

15 Mitigating SessionToken theft by binding SessionToken to client’s computer Client IP addr: makes it harder to use token at another machine – But honest client may change IP addr during session client will be logged out for no reason. Client user agent: weak defense against theft, but doesn’t hurt. SSL session id: same problem as IP address (and even worse) A common idea: embed machine specific data in SID 15

16 Session fixation attacks Suppose attacker can set the user’s session token: For URL tokens, trick user into clicking on URL For cookie tokens, set using XSS exploits Attack: (say, using URL tokens) 1.Attacker gets anonymous session token for site.com 2.Sends URL to user with attacker’s session token 3.User clicks on URL and logs into site.com – this elevates attacker’s token to logged-in token 4.Attacker uses elevated token to hijack user’s session. 16

17 Session fixation: lesson When elevating user from anonymous to logged-in: always issue a new session token After login, token changes to value unknown to attacker  Attacker’s token is not elevated. 17

18 Summary Always assume cookie data retrieved from client is adversarial Session tokens are split across multiple client state mechanisms: – Cookies, hidden form fields, URL parameters – Cookies by themselves are insecure (CSRF, cookie overwrite) – Session tokens must be unpredictable and resist theft by network attacker Ensure logout invalidates session on server 18

Download ppt "Session Management Tyler Moore CS7403 University of Tulsa Slides adapted in part or whole from Dan Boneh, Stanford CS155 1."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
Session Management Dan Boneh CS 142 Winter 2009. Sessions A sequence of requests and responses from one browser to one (or more) sites Session can be.

Session Management Dan Boneh CS 142 Winter Sessions A sequence of requests and responses from one browser to one (or more) sites Session can be.
Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.

Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.

ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Attacking Session Management Juliette Lessing

Attacking Session Management Juliette Lessing
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
©2009 Justin C. Klein Keane PHP Code Auditing Session 7 Sessions and Cookies Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 7 Sessions and Cookies Justin C. Klein Keane
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Web Security: Session Management

Web Security: Session Management
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

Similar presentations

Ads by Google