Session cookies constitute one of the main attack targets against client authentication on the Web. To counter that, modern web browsers implement native cookie protection mechanisms based on the Secure and HttpOnly flags. While there is a general understanding about the effectiveness of these defenses, no formal result has so far been proved about the security guarantees they convey. With the ...

The privacy implications of third-party tracking is a well-studied problem. Recent research has shown that besides data aggregators and behavioral advertisers, online social networks also act as trackers via social widgets. Existing cookie policies are not enough to solve these problems, pushing users to employ blacklist-based browser extensions to prevent such tracking. Unfortunately, such app...

Password sharing is widely used as a means of delegating access, but it is open to abuse and relies heavily on trust in the person being delegated to. We present a protocol for delegating access to websites as a natural extension to the Pico protocol. Through this we explore the potential characteristics of delegation mechanisms and how they interact. We conclude that security for the delegator...

The implementation of web sessions is a somewhat anarchic and largely unstructured process. Our goal with the present paper is to provide a disciplined perspective of which are the relative strengths and weaknesses of the most common techniques to implement web sessions, with a particular focus on their security. We clarify common misconceptions in the recent “cookies vs tokens” debate and we p...

HTTP cookie covert channel is a communication method that encodes malicious information in fields to escape regulatory audits. It difficult detect this kind of according the content because are mainly encoded custom modes. To effectively identify channel, paper proposes detection based on interaction features session flow. First, we split flow into fine-grained “interaction process” subflows co...

Since there is no concept of a session in HTTP, Web servers and browsers use cookies to capture information for subsequent communications on the Web, thus providing continuity and state across HTTP connections. Technically, cookies can be used to support electronic transactions on the Web, holding users' credit card information. However, it is insecure to store and transmit sensitive informatio...