Session cookies constitute one of the main attack targets against client authentication on the Web. To counter that, modern web browsers implement native cookie protection mechanisms based on the Secure and HttpOnly flags. While there is a general understanding about the effectiveness of these defenses, no formal result has so far been proved about the security guarantees they convey. With the present paper we provide the first such result, with a mechanized proof of noninterference assessing the robustness of the Secure and HttpOnly cookie flags against both web and network attacks. We then develop CookiExt, a browser extension that provides client-side protection against session hijacking based on appropriate flagging of session cookies and automatic redirection over HTTPS for HTTP requests carrying such cookies. Our solution improves over existing client-side defenses by combining protection against both web and network attacks, while at the same time being designed so as to minimise its effects on the user’s browsing experience.
Session cookies constitute one of the main attack targets against client authentication on the Web. To counter that, modern web browsers implement native cookie protection mechanisms based on the Secure and HttpOnly flags. While there is a general understanding about the effectiveness of these defenses, no formal result has so far been proved about the security guarantees they convey. With the present paper we provide the first such result, with a mechanized proof of noninterference assessing the robustness of the Secure and HttpOnly cookie flags against both web and network attacks. We then develop CookiExt, a browser extension that provides client-side protection against session hijacking based on appropriate flagging of session cookies and automatic redirection over HTTPS for HTTP requests carrying such cookies. Our solution improves over existing client-side defenses by combining protection against both web and network attacks, while at the same time being designed so as to minimise its effects on the user's browsing experience. © 2014 Springer International Publishing Switzerland.
Autori: | ||
Data di pubblicazione: | 2014 | |
Titolo: | Automatic and robust client-side protection for cookie-based sessions | |
Titolo del libro: | Engineering Secure Software and Systems | |
Digital Object Identifier (DOI): | http://dx.doi.org/10.1007/978-3-319-04897-0_11 | |
Appare nelle tipologie: | 4.1 Articolo in Atti di convegno |
File in questo prodotto:
File | Descrizione | Tipologia | Licenza | |
---|---|---|---|---|
essos14.pdf | Documento in Post-print | Accesso chiuso-personale | Riservato |