Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Session Management
Dan Boneh
Sessions
A sequence of requests and responses from
one browser to one (or more) sites
Session can be long (Gmail - two weeks)
or short
Session mgmt:
Authorize user once;
Easily spoofed
Session tokens
Browser Web Site
GET /index.html
GET /books.html
anonymous session token
POST /checkout
logged-in session token Validate
token
Storing session tokens:
Lots of options (but none are perfect)
• Browser cookie:
Set-Cookie: SessionToken=fduhye63sfdb
Session
Apache tokens must
Tomcat: be unpredicatble to attacker:
generateSessionID()
Use underlying
MD5(PRG) framework.
… but weak PRG [GM’05].
Predictable SessionID’s
Rails: token = MD5( current time, random nonce )
2. Cookie theft
Example 1: login over SSL, but subsequent HTTP
What happens as wireless Café ?
Other reasons why session token sent in the clear:
HTTPS/HTTP mixed content pages at site
Man-in-the-middle attacks on SSL
Client IP Address:
Will make it harder to use token at another machine
click on
URL
user
logs in
Bad things happen:
respond
with • site.com session token
attacker’s site.com sent to attacker
script
• rewrite site.com DOM
• rewrite links and persist
Persistent XSS
XSS script is injected into blog, message board, etc.
When user’s view the block, the malicious script
runs in their browser
blogs must filter uploaded content