The implementation of web sessions is a somewhat anarchic and largely unstructured process. Our goal with the present paper is to provide a disciplined perspective of which are the relative strengths and weaknesses of the most common techniques to implement web sessions, with a particular focus on their security. We clarify common misconceptions in the recent "cookies vs tokens" debate and we propose a more useful classification of web session implementations, based on where session information and session credentials are stored. We then propose a new implementation technique for web sessions which combines the strengths of existing web technologies to overcome their weaknesses and we successfully deploy our solution on top of WordPress and the Auth0 library for web authentication to demonstrate its feasibility.
|Data di pubblicazione:||2018|
|Titolo:||Dr Cookie and Mr Token - Web session implementations and how to live with them|
|Rivista:||CEUR WORKSHOP PROCEEDINGS|
|Titolo del libro:||CEUR Workshop Proceedings|
|Appare nelle tipologie:||4.1 Articolo in Atti di convegno|
File in questo prodotto:
|itasec18.pdf||Documento in Post-print||Accesso chiuso-personale||Riservato|