httperf—a tool for measuring web server performance
ACM SIGMETRICS Performance Evaluation Review
IEEE Internet Computing
An Efficient Cryptographic Protocol Verifier Based on Prolog Rules
CSFW '01 Proceedings of the 14th IEEE workshop on Computer Security Foundations
Architectural styles and the design of network-based software architectures
Architectural styles and the design of network-based software architectures
A Lightweight Approach to Authenticated Web Caching
SAINT '05 Proceedings of the The 2005 Symposium on Applications and the Internet
Performance analysis of TLS Web servers
ACM Transactions on Computer Systems (TOCS)
Cache Cookies for Browser Authentication (Extended Abstract)
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Dos and don'ts of client authentication on the web
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
The Emperor's New Security Indicators
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Beamauth: two-factor web authentication with a bookmark
Proceedings of the 14th ACM conference on Computer and communications security
Sessionlock: securing web sessions against eavesdropping
Proceedings of the 17th international conference on World Wide Web
Forcehttps: protecting high-security web sites from network attacks
Proceedings of the 17th international conference on World Wide Web
Detecting in-flight page changes with web tripwires
NSDI'08 Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation
Pretty-Bad-Proxy: An Overlooked Adversary in Browsers' HTTPS Deployments
SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
Session Management Vulnerabilities in Today's Web
IEEE Security and Privacy
Splitting the HTTPS Stream to Attack Secure Web Connections
IEEE Security and Privacy
On the security of public key protocols
IEEE Transactions on Information Theory
| Hi-index | 0.00 |
HTTP cookies are the de facto mechanism for session authentication in Web applications. However, their inherent security weaknesses allow attacks against the integrity of Web sessions. HTTPS is often recommended to protect cookies, but deploying full HTTPS support can be challenging due to performance and financial concerns, especially for highly distributed applications. Moreover, cookies can be exposed in a variety of ways even when HTTPS is enabled. In this article, we propose one-time cookies (OTC), a more robust alternative for session authentication. OTC prevents attacks such as session hijacking by signing each user request with a session secret securely stored in the browser. Unlike other proposed solutions, OTC does not require expensive state synchronization in the Web application, making it easily deployable in highly distributed systems. We implemented OTC as a plug-in for the popular WordPress platform and as an extension for Firefox and Firefox for mobile browsers. Our extensive experimental analysis shows that OTC introduces a latency of less than 6 ms when compared to cookies—a negligible overhead for most Web applications. Moreover, we show that OTC can be combined with HTTPS to effectively add another layer of security to Web applications. In so doing, we demonstrate that one-time cookies can significantly improve the security of Web applications with minimal impact on performance and scalability.