SlideShare a Scribd company logo

Session management

D
Dhruv Aggarwal

A sequence of requests and responses from one browser to one (or more) sites Session can be long or short Without session management: Users would have to constantly re-authenticate Session management: Authorize user once All subsequent requests are tied to user Browser cookie: Set-Cookie: SessionToken=fduhye63sfdb Embedd in all URL links: https://site.com/checkout ? SessionToken=kh7y3b In a hidden form field: <input type=“hidden” name=“sessionid” value=“kh7y3b”>

Engineering
1 of 16
Dhruv Aggarwal
Sessions  A sequence of requests and responses from one browser to one (or more) sites  Session can be long or short  Without session management:  Users would have to constantly re-authenticate  Session management:  Authorize user once  All subsequent requests are tied to user
Pre-history: HTTP auth
HTTP auth problems  Hardly used in commercial sites  What if user has multiple accounts?  Site cannot customize password dialog  Easily spoofed
Session tokens
Storing session tokens:  Browser cookie:  Set-Cookie: SessionToken=fduhye63sfdb  Embedd in all URL links:  https://site.com/checkout ? SessionToken=kh7y3b  In a hidden form field:  <input type=“hidden” name=“sessionid” value=“kh7y3b”>
PROBLEM  Storing session tokens: problems  Browser cookie:  browser sends cookie with every request, even when it should not  Embed in all URL links:  token leaks via HTTP Referer header  In a hidden form field: short sessions only
Active and Passive Attack Scenarios  Session Hijacking  Eavesdropping  Session Fixation  Cross-Site Scripting  Exhaustive Search  Intelligent Manipulation of Session Data  Network Manipulation (e.g. change of DNS entries)  etc.
URL-based Solutions  The session token is part of the URL and will be transmitted to the web server through HTTP GET requests  Example: http://www.blabla.com/buy.asp?article=27781;sessionid=IE5579901578  This mechanism works even in case of user client security restrictions (if, for example, no cookies are allowed). Thus, it can serve as a fallback mechanism if the server detects problems with other mechanisms like cookies or JavaScript Problems:  All information contained in the URL might be stored in firewall or proxy log files  Also, it could simply be printed out with the web page on a shared printer  Moreover, the URL, including potentially sensitive data, can be sent in the HTTP referrer field to other web servers. This implies a high risk of sensitive session data being disclosed to unauthorized third parties
Form-based Solutions with Hidden Fields  Session token and information can be included in so-called hidden fields in a form  The form will be sent by the user client to the server with an HTTP POST command. This looks like the following example: <FORM METHOD=POST ACTION=”/cgi-bin/order_goods.pl”> <INPUT TYPE=”hidden” NAME=”customerid” VALUE=”0815”> <INPUT TYPE=”hidden” NAME=”valid_order” VALUE=”yes”> <INPUT TYPE=”hidden” NAME=”productid” VALUE=”4711”>  As described in the case of URL-encoded session tokens, this form-based mechanism works even in case of user client security restrictions (if, for example, no cookies are allowed). Thus, it can serve as a fallback mechanism if the server detects problems with other mechanisms like cookies or JavaScript  The form-based solution does not provide pre-defined protection mechanisms as those provided by cookies, for example  Moreover, the form-based approach requires repeated sending of HTTP forms via POST commands, which implies a certain amount of overhead that might reduce performance. Also, hidden fields cannot last beyond a certain interactive session
HTTP Basic and/or Digest Authentication-based Solutions  In HTTP Basic authentication, the client sends his username and password in cleartext as part of the HTTP request  In all subsequent HTTP requests for content from subdirectories of the original request, these credentials will be automatically resent  In HTTP Digest authentication, no passwords are sent in the clear  Instead, a cryptographic hash value containing the username, password, and additional security-relevant data, will be transmitted from the client to the server (more details can be found in RFC2617 - HTTP Authentication: Basic and Digest Access Authentication, June 1999) Problems:  HTTP Basic authentication is vulnerable to passive eavesdropping. Moreover, it provides no mechanism for explicit session expiration (i.e. logout)  HTTP Digest authentication cannot guarantee sufficient support on all client platforms  Both mechanisms do not provide session tracking, but only authentication
Cookie-based Solutions  Cookies are a simple session management mechanism  Cookies have been designed to track status information about user visits on web servers (who requested which pages at what time)  Originally, nobody intended to use cookies for authentication purposes  Nevertheless, a large quantity of web applications today uses cookies for user authentication and authorization  Cookies are normally sent from the web server to the client using two different methods: either within HTTP headers or by JavaScript
USER AUTHENTICATION
Single Sign-On  This is a session/user authentication process that permits a user to enter one name and password in order to access multiple applications.  Applications should trust a central authority.

Recommended

self des session_T_M
self des session_T_Mself des session_T_M
self des session_T_MDayasagar Kadam
 
«How to start in web application penetration testing» by Maxim Dzhalamaga
«How to start in web application penetration testing» by Maxim Dzhalamaga «How to start in web application penetration testing» by Maxim Dzhalamaga
«How to start in web application penetration testing» by Maxim Dzhalamaga 0xdec0de
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationStefan Achtsnit
 
2310 b 16
2310 b 162310 b 16
2310 b 16Krazy Koder
 
What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?Derek Edwards
 
M365 meetup hybrid identity well protected
M365 meetup hybrid identity well protectedM365 meetup hybrid identity well protected
M365 meetup hybrid identity well protectedKonrad Sagala
 
seminar on proxyserver
seminar on proxyserverseminar on proxyserver
seminar on proxyserverNiraj Barnwal
 
Micro Web Service - Slim and JWT
Micro Web Service - Slim and JWTMicro Web Service - Slim and JWT
Micro Web Service - Slim and JWTTuyen Vuong
 

Recommended

self des session_T_M
self des session_T_Mself des session_T_M
self des session_T_MDayasagar Kadam
 
«How to start in web application penetration testing» by Maxim Dzhalamaga
«How to start in web application penetration testing» by Maxim Dzhalamaga «How to start in web application penetration testing» by Maxim Dzhalamaga
«How to start in web application penetration testing» by Maxim Dzhalamaga 0xdec0de
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationStefan Achtsnit
 
2310 b 16
2310 b 162310 b 16
2310 b 16Krazy Koder
 
What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?Derek Edwards
 
M365 meetup hybrid identity well protected
M365 meetup hybrid identity well protectedM365 meetup hybrid identity well protected
M365 meetup hybrid identity well protectedKonrad Sagala
 
seminar on proxyserver
seminar on proxyserverseminar on proxyserver
seminar on proxyserverNiraj Barnwal
 
Micro Web Service - Slim and JWT
Micro Web Service - Slim and JWTMicro Web Service - Slim and JWT
Micro Web Service - Slim and JWTTuyen Vuong
 
Web fundamentals - part 1
Web fundamentals - part 1Web fundamentals - part 1
Web fundamentals - part 1Bozhidar Boshnakov
 
Lemonldap::NG, open-source Web-SSO of the french administrations
Lemonldap::NG, open-source Web-SSO of the french administrationsLemonldap::NG, open-source Web-SSO of the french administrations
Lemonldap::NG, open-source Web-SSO of the french administrationsxguimard
 
Identity patterns and anit-patterns in real world web services
Identity patterns and anit-patterns in real world web servicesIdentity patterns and anit-patterns in real world web services
Identity patterns and anit-patterns in real world web servicesPrabath Siriwardena
 
Java Session
Java SessionJava Session
Java SessionAathikaJava
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation SecurityAman Singh
 
Https
HttpsHttps
HttpsAcodez IT Solutions
 
HTTP Basics
HTTP BasicsHTTP Basics
HTTP Basicssanjoysanyal
 
Class 38
Class 38Class 38
Class 38srasat73
 
S8-Session Managment
S8-Session ManagmentS8-Session Managment
S8-Session Managmentzakieh alizadeh
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocationguestd5dde6
 
Cookie
CookieCookie
CookieSamit Kumar Kapat
 
Session tracking In Java
Session tracking In JavaSession tracking In Java
Session tracking In Javahoneyvachharajani
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinJava User Group Latvia
 
PHP-Cookies-Sessions.pdf
PHP-Cookies-Sessions.pdfPHP-Cookies-Sessions.pdf
PHP-Cookies-Sessions.pdfHumphreyOwuor1
 
Sea surfing in asp.net mvc
Sea surfing in asp.net mvcSea surfing in asp.net mvc
Sea surfing in asp.net mvcmagda3695
 
Module 13 (web based password cracking techniques)
Module 13 (web based password cracking techniques)Module 13 (web based password cracking techniques)
Module 13 (web based password cracking techniques)Wail Hassan
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 
Synapse india reviews on security for the share point developer
Synapse india reviews on security for the share point developerSynapse india reviews on security for the share point developer
Synapse india reviews on security for the share point developersaritasingh19866
 
15-auth-session-mgmt.ppt
15-auth-session-mgmt.ppt15-auth-session-mgmt.ppt
15-auth-session-mgmt.pptssuserec53e73
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying RESTKirsten Hunter
 
Secure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessionsSecure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessionsSecure Code Warrior
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful APIMuhammad Zbeedat
 

More Related Content

What's hot

Lemonldap::NG, open-source Web-SSO of the french administrations
Lemonldap::NG, open-source Web-SSO of the french administrationsLemonldap::NG, open-source Web-SSO of the french administrations
Lemonldap::NG, open-source Web-SSO of the french administrationsxguimard
 
Identity patterns and anit-patterns in real world web services
Identity patterns and anit-patterns in real world web servicesIdentity patterns and anit-patterns in real world web services
Identity patterns and anit-patterns in real world web servicesPrabath Siriwardena
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation SecurityAman Singh
 

What's hot (6)

Web fundamentals - part 1
Web fundamentals - part 1Web fundamentals - part 1
Web fundamentals - part 1
 
Lemonldap::NG, open-source Web-SSO of the french administrations
Lemonldap::NG, open-source Web-SSO of the french administrationsLemonldap::NG, open-source Web-SSO of the french administrations
Lemonldap::NG, open-source Web-SSO of the french administrations
 
Identity patterns and anit-patterns in real world web services
Identity patterns and anit-patterns in real world web servicesIdentity patterns and anit-patterns in real world web services
Identity patterns and anit-patterns in real world web services
 
Java Session
Java SessionJava Session
Java Session
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
 
Https
HttpsHttps
Https
 

Similar to Session management

UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocationguestd5dde6
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinJava User Group Latvia
 
PHP-Cookies-Sessions.pdf
PHP-Cookies-Sessions.pdfPHP-Cookies-Sessions.pdf
PHP-Cookies-Sessions.pdfHumphreyOwuor1
 
Sea surfing in asp.net mvc
Sea surfing in asp.net mvcSea surfing in asp.net mvc
Sea surfing in asp.net mvcmagda3695
 
Module 13 (web based password cracking techniques)
Module 13 (web based password cracking techniques)Module 13 (web based password cracking techniques)
Module 13 (web based password cracking techniques)Wail Hassan
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 
Synapse india reviews on security for the share point developer
Synapse india reviews on security for the share point developerSynapse india reviews on security for the share point developer
Synapse india reviews on security for the share point developersaritasingh19866
 
15-auth-session-mgmt.ppt
15-auth-session-mgmt.ppt15-auth-session-mgmt.ppt
15-auth-session-mgmt.pptssuserec53e73
 
Secure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessionsSecure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessionsSecure Code Warrior
 
19_JavaScript - Storage_Cookies-tutorial .pptx
19_JavaScript - Storage_Cookies-tutorial .pptx19_JavaScript - Storage_Cookies-tutorial .pptx
19_JavaScript - Storage_Cookies-tutorial .pptxssuser4a97d3
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthfossmy
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuthMohan Krishnan
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular jsBixlabs
 

Similar to Session management (20)

HTTP Basics
HTTP BasicsHTTP Basics
HTTP Basics
 
Class 38
Class 38Class 38
Class 38
 
S8-Session Managment
S8-Session ManagmentS8-Session Managment
S8-Session Managment
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 
Cookie
CookieCookie
Cookie
 
Session tracking In Java
Session tracking In JavaSession tracking In Java
Session tracking In Java
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
 
PHP-Cookies-Sessions.pdf
PHP-Cookies-Sessions.pdfPHP-Cookies-Sessions.pdf
PHP-Cookies-Sessions.pdf
 
Sea surfing in asp.net mvc
Sea surfing in asp.net mvcSea surfing in asp.net mvc
Sea surfing in asp.net mvc
 
Module 13 (web based password cracking techniques)
Module 13 (web based password cracking techniques)Module 13 (web based password cracking techniques)
Module 13 (web based password cracking techniques)
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
Synapse india reviews on security for the share point developer
Synapse india reviews on security for the share point developerSynapse india reviews on security for the share point developer
Synapse india reviews on security for the share point developer
 
15-auth-session-mgmt.ppt
15-auth-session-mgmt.ppt15-auth-session-mgmt.ppt
15-auth-session-mgmt.ppt
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
 
Secure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessionsSecure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessions
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
 
19_JavaScript - Storage_Cookies-tutorial .pptx
19_JavaScript - Storage_Cookies-tutorial .pptx19_JavaScript - Storage_Cookies-tutorial .pptx
19_JavaScript - Storage_Cookies-tutorial .pptx
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuth
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuth
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
 

Recently uploaded

HARMONY IN THE HUMAN BEING - Unit-II UHV-2
HARMONY IN THE HUMAN BEING - Unit-II UHV-2HARMONY IN THE HUMAN BEING - Unit-II UHV-2
HARMONY IN THE HUMAN BEING - Unit-II UHV-2RajaP95
 
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...srsj9000
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024Mark Billinghurst
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...Soham Mondal
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girlsssuser7cb4ff
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AIabhishek36461
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
Heart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxHeart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxPoojaBan
 
GDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSCAESB
 
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSKurinjimalarL3
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝soniya singh
 
chaitra-1.pptx fake news detection using machine learning
chaitra-1.pptx fake news detection using machine learningchaitra-1.pptx fake news detection using machine learning
chaitra-1.pptx fake news detection using machine learningmisbanausheenparvam
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...VICTOR MAESTRE RAMIREZ
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile servicerehmti665
 
Application of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptxApplication of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptx959SahilShah
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Dr.Costas Sachpazis
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidNikhilNagaraju
 
Internship report on mechanical engineering
Internship report on mechanical engineeringInternship report on mechanical engineering
Internship report on mechanical engineeringmalavadedarshan25
 
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfCCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfAsst.prof M.Gokilavani
 

Recently uploaded (20)

HARMONY IN THE HUMAN BEING - Unit-II UHV-2
HARMONY IN THE HUMAN BEING - Unit-II UHV-2HARMONY IN THE HUMAN BEING - Unit-II UHV-2
HARMONY IN THE HUMAN BEING - Unit-II UHV-2
 
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girls
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AI
 
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptxExploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
Heart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxHeart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptx
 
GDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentation
 
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
 
chaitra-1.pptx fake news detection using machine learning
chaitra-1.pptx fake news detection using machine learningchaitra-1.pptx fake news detection using machine learning
chaitra-1.pptx fake news detection using machine learning
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile service
 
Application of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptxApplication of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptx
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfid
 
Internship report on mechanical engineering
Internship report on mechanical engineeringInternship report on mechanical engineering
Internship report on mechanical engineering
 
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfCCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
 

Session management

  • 2. Sessions  A sequence of requests and responses from one browser to one (or more) sites  Session can be long or short  Without session management:  Users would have to constantly re-authenticate  Session management:  Authorize user once  All subsequent requests are tied to user
  • 4. HTTP auth problems  Hardly used in commercial sites  What if user has multiple accounts?  Site cannot customize password dialog  Easily spoofed
  • 6. Storing session tokens:  Browser cookie:  Set-Cookie: SessionToken=fduhye63sfdb  Embedd in all URL links:  https://site.com/checkout ? SessionToken=kh7y3b  In a hidden form field:  <input type=“hidden” name=“sessionid” value=“kh7y3b”>
  • 7. PROBLEM  Storing session tokens: problems  Browser cookie:  browser sends cookie with every request, even when it should not  Embed in all URL links:  token leaks via HTTP Referer header  In a hidden form field: short sessions only
  • 8. Active and Passive Attack Scenarios  Session Hijacking  Eavesdropping  Session Fixation  Cross-Site Scripting  Exhaustive Search  Intelligent Manipulation of Session Data  Network Manipulation (e.g. change of DNS entries)  etc.
  • 9. URL-based Solutions  The session token is part of the URL and will be transmitted to the web server through HTTP GET requests  Example: http://www.blabla.com/buy.asp?article=27781;sessionid=IE5579901578  This mechanism works even in case of user client security restrictions (if, for example, no cookies are allowed). Thus, it can serve as a fallback mechanism if the server detects problems with other mechanisms like cookies or JavaScript Problems:  All information contained in the URL might be stored in firewall or proxy log files  Also, it could simply be printed out with the web page on a shared printer  Moreover, the URL, including potentially sensitive data, can be sent in the HTTP referrer field to other web servers. This implies a high risk of sensitive session data being disclosed to unauthorized third parties
  • 10. Form-based Solutions with Hidden Fields  Session token and information can be included in so-called hidden fields in a form  The form will be sent by the user client to the server with an HTTP POST command. This looks like the following example: <FORM METHOD=POST ACTION=”/cgi-bin/order_goods.pl”> <INPUT TYPE=”hidden” NAME=”customerid” VALUE=”0815”> <INPUT TYPE=”hidden” NAME=”valid_order” VALUE=”yes”> <INPUT TYPE=”hidden” NAME=”productid” VALUE=”4711”>  As described in the case of URL-encoded session tokens, this form-based mechanism works even in case of user client security restrictions (if, for example, no cookies are allowed). Thus, it can serve as a fallback mechanism if the server detects problems with other mechanisms like cookies or JavaScript  The form-based solution does not provide pre-defined protection mechanisms as those provided by cookies, for example  Moreover, the form-based approach requires repeated sending of HTTP forms via POST commands, which implies a certain amount of overhead that might reduce performance. Also, hidden fields cannot last beyond a certain interactive session
  • 11. HTTP Basic and/or Digest Authentication-based Solutions  In HTTP Basic authentication, the client sends his username and password in cleartext as part of the HTTP request  In all subsequent HTTP requests for content from subdirectories of the original request, these credentials will be automatically resent  In HTTP Digest authentication, no passwords are sent in the clear  Instead, a cryptographic hash value containing the username, password, and additional security-relevant data, will be transmitted from the client to the server (more details can be found in RFC2617 - HTTP Authentication: Basic and Digest Access Authentication, June 1999) Problems:  HTTP Basic authentication is vulnerable to passive eavesdropping. Moreover, it provides no mechanism for explicit session expiration (i.e. logout)  HTTP Digest authentication cannot guarantee sufficient support on all client platforms  Both mechanisms do not provide session tracking, but only authentication
  • 12. Cookie-based Solutions  Cookies are a simple session management mechanism  Cookies have been designed to track status information about user visits on web servers (who requested which pages at what time)  Originally, nobody intended to use cookies for authentication purposes  Nevertheless, a large quantity of web applications today uses cookies for user authentication and authorization  Cookies are normally sent from the web server to the client using two different methods: either within HTTP headers or by JavaScript
  • 14.
  • 15.
  • 16. Single Sign-On  This is a session/user authentication process that permits a user to enter one name and password in order to access multiple applications.  Applications should trust a central authority.