Dr Cookie and Mr Token - Web Session Implementations and How to Live with Them
نویسندگان
چکیده
The implementation of web sessions is a somewhat anarchic and largely unstructured process. Our goal with the present paper is to provide a disciplined perspective of which are the relative strengths and weaknesses of the most common techniques to implement web sessions, with a particular focus on their security. We clarify common misconceptions in the recent “cookies vs tokens” debate and we propose a more useful classification of web session implementations, based on where session information and session credentials are stored. We then propose a new implementation technique for web sessions which combines the strengths of existing web technologies to overcome their weaknesses and we successfully deploy our solution on top of WordPress and the Auth0 library for web authentication to demonstrate its feasibility.
منابع مشابه
How to Define Searching Sessions on Web Search Engines
We investigate three methods for defining a session on Web search engines. We examine 2,465,145 interactions from 534,507 Web searchers. We compare defining sessions using: 1) Internet Protocol address and cookie; 2) Internet Protocol address, cookie, and a temporal limit on intrasession interactions; and 3) Internet Protocol address, cookie, and query reformulation patterns. Research results s...
متن کاملAn Analytical Study of Web Application Session Management Mechanisms and HTTP Session Hijacking Attacks
Shellie Wedman, Annette Tetmeyer, and Hossein Saiedian Department of Electrical Engineering Computer Science, University of Kansas, Lawrence, Kansas, USA ABSTRACT The HTTP protocol is designed for stateless transactions, but many Web applications require a session to be maintained between a Web browser and a server creating a stateful environment. Each Web application decides how its session is...
متن کاملAn Improved Token-Based and Starvation Free Distributed Mutual Exclusion Algorithm
Distributed mutual exclusion is a fundamental problem of distributed systems that coordinates the access to critical shared resources. It concerns with how the various distributed processes access to the shared resources in a mutually exclusive manner. This paper presents fully distributed improved token based mutual exclusion algorithm for distributed system. In this algorithm, a process which...
متن کاملWeb Service Security
Authentication is the process of making sure that the person who is requesting a web service is really the person that they claim to be. This is done by requiring the user to provide a set of credentials. In return, they will receive a security token that can be used to access the server. The credentials usually take the form of a user id and password. On the other hand, the security token that...
متن کاملHardened Stateless Session Cookies
Stateless session cookies allow web applications to alter their behaviour based on user preferences and access rights, without maintaining server-side state for each session. This is desirable because it reduces the impact of denial of service attacks and eases database replication issues in load-balanced environments. The security of existing session cookie proposals depends on the server prot...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2018