This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
Welcome to the full schedule of the OWASP AppSec Research EU 2013 conference days. You’ll find the schedule for the training days at http://trainings2013.appsec.eu
View analytic
Thursday, August 22 • 4:45pm - 5:30pm
Improving the Security of Session Management in Web Applications

Sign up or log in to save this to your schedule and see who's attending!

Session management is a critical component of modern web applications, allowing a server to keep track of user-specific state, such as an authentication status. Unfortunately, many applications deploy session management over an insecure HTTP channel, making them vulnerable to eavesdropping, session hijacking or session fixation attacks. On the contrary, state-of-practice guidelines advocate the deployment of session management on a secure HTTPS channel, using the HttpOnly and Secure cookie attributes, effectively eliminating these well-known session management attacks. The goal of this paper is to provide secure session management to web applications deployed over HTTP. 

We propose a secure and lightweight session management mechanism, effectively improving session management security with HTTP deployments. By establishing a safely contained, shared secret between browser and server, an attacker is prevented from taking over a user’s session, since the secret is never transmitted, nor accessible. We demonstrate the applicability of our solution to a common scenario involving third-party authentication, clearly indicating the gained security properties. 

Our secure and lightweight session management mechanism raises the security bar for HTTP deployments, which will eventually lead to secure session management for all web applications.

avatar for Lieven Desmet

Lieven Desmet

Research Manager, iMinds-DistriNet-KU Leuven
Lieven Desmet is Research Manager on Software Secure at the iMinds-DistriNet Research Group (KU Leuven, Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.
avatar for Frank Piessens

Frank Piessens

Professor, iMinds-DistriNet-KU Leuven
Frank Piessens is a professor at the Department of Computer Science of the KU Leuven, Belgium. His research interests lie in software security, including security in operating systems and middleware, architectures, applications, Java and .NET, and software interfaces to security technologies. He is an active participant in both fundamental research and industrial application-driven projects, provides consultancy to industry on distributed system... Read More →
avatar for Philippe De Ryck

Philippe De Ryck

iMinds-DistriNet-KU Leuven
Philippe is the main contact person within iMinds-DistriNet for Web Security-related training activities. Philippe has finished his PhD on client-side Web security, and currently focuses on a sustainable knowledge transfer of his expertise in Web security towards industry partners, mainly through training courses and public dissemination activities.

Thursday August 22, 2013 4:45pm - 5:30pm