OWASP AppSec Research 2013

Session management is a critical component of modern web applications, allowing a server to keep track of user-specific state, such as an authentication status. Unfortunately, many applications deploy session management over an insecure HTTP channel, making them vulnerable to eavesdropping, session hijacking or session fixation attacks. On the contrary, state-of-practice guidelines advocate the deployment of session management on a secure HTTPS channel, using the HttpOnly and Secure cookie attributes, effectively eliminating these well-known session management attacks. The goal of this paper is to provide secure session management to web applications deployed over HTTP. 

We propose a secure and lightweight session management mechanism, effectively improving session management security with HTTP deployments. By establishing a safely contained, shared secret between browser and server, an attacker is prevented from taking over a user’s session, since the secret is never transmitted, nor accessible. We demonstrate the applicability of our solution to a common scenario involving third-party authentication, clearly indicating the gained security properties. 

Our secure and lightweight session management mechanism raises the security bar for HTTP deployments, which will eventually lead to secure session management for all web applications.