Welcome to the full schedule of the OWASP AppSec Research EU 2013 conference days. You’ll find the schedule for the training days at http://trainings2013.appsec.eu
View analytic
Thursday, August 22 • 4:45pm - 5:30pm
Improving the Security of Session Management in Web Applications

Sign up or log in to save this to your schedule and see who's attending!

Session management is a critical component of modern web applications, allowing a server to keep track of user-specific state, such as an authentication status. Unfortunately, many applications deploy session management over an insecure HTTP channel, making them vulnerable to eavesdropping, session hijacking or session fixation attacks. On the contrary, state-of-practice guidelines advocate the deployment of session management on a secure HTTPS channel, using the HttpOnly and Secure cookie attributes, effectively eliminating these well-known session management attacks. The goal of this paper is to provide secure session management to web applications deployed over HTTP. 

We propose a secure and lightweight session management mechanism, effectively improving session management security with HTTP deployments. By establishing a safely contained, shared secret between browser and server, an attacker is prevented from taking over a user’s session, since the secret is never transmitted, nor accessible. We demonstrate the applicability of our solution to a common scenario involving third-party authentication, clearly indicating the gained security properties. 

Our secure and lightweight session management mechanism raises the security bar for HTTP deployments, which will eventually lead to secure session management for all web applications.

avatar for Lieven Desmet

Lieven Desmet

Research Manager, imec-DistriNet-KU Leuven
Lieven Desmet is a Senior Research Manager on Software Secure at the imec-DistriNet Research Group (KU Leuven, Belgium), where he coaches researchers in (web) application security and participates in dissemination and valorization activities. His interests are in security of middleware... Read More →

Wouter Joosen

imec-DistriNet - KU Leuven
avatar for Frank Piessens

Frank Piessens

Full professor, imec-DistriNet, KU Leuven
Frank Piessens is a professor at the Department of Computer Science of the KU Leuven, Belgium. His research interests lie in software security, including security in operating systems and middleware, architectures, applications, Java and .NET, and software interfaces to security technologies. He... Read More →
avatar for Philippe De Ryck

Philippe De Ryck

Web security expert, imec-DistriNet, KU Leuven
Philippe De Ryck is a professional speaker and trainer on software security and web security. Since he obtained his PhD at the imec-DistriNet research group (KU Leuven, Belgium), he has been running the group's Web Security Training program, which ensures a sustainable knowledge transfer... Read More →

Thursday August 22, 2013 4:45pm - 5:30pm