Cache Cookies for Browser Authentication (Extended Abstract)
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Subspace: secure cross-domain communication for web mashups
Proceedings of the 16th international conference on World Wide Web
Beamauth: two-factor web authentication with a bookmark
Proceedings of the 14th ACM conference on Computer and communications security
Finding collisions in the full SHA-1
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
An investigation of hotlinking and its countermeasures
Computer Communications
Getting web authentication right: a best-case protocol for the remaining life of passwords
SP'11 Proceedings of the 19th international conference on Security Protocols
SessionJuggler: secure web login from an untrusted terminal using session hijacking
Proceedings of the 21st international conference on World Wide Web
One-time cookies: Preventing session hijacking attacks with stateless authentication tokens
ACM Transactions on Internet Technology (TOIT)
BetterAuth: web authentication revisited
Proceedings of the 28th Annual Computer Security Applications Conference
GlassTube: a lightweight approach to web application integrity
Proceedings of the Eighth ACM SIGPLAN workshop on Programming languages and analysis for security
Hi-index | 0.00 |
Typical web sessions can be hijacked easily by a network eavesdropper in attacks that have come to be designated "sidejacking." The rise of ubiquitous wireless networks, often unprotected at the transport layer, has significantly aggravated this problem. While SSL can protect against eavesdropping, its usability disadvantages often make it unsuitable when the data is not considered highly confidential. Most web-based email services, for example, use SSL only on their login page and are thus vulnerable to sidejacking. We propose SessionLock, a simple approach to securing web sessions against eavesdropping without extending the use of SSL. SessionLock is easily implemented by web developers using only JavaScript and simple server-side logic. Its performance impact is negligible, and all major web browsers are supported. Interestingly, it is particularly easy to implement on single-page AJAX web applications, e.g. Gmail or Yahoo mail, with approximately 200 lines of JavaScript and 60 lines of server-side verification code.