Sciweavers

SAC
2011
ACM

Reliable protection against session fixation attacks

13 years 2 months ago
Reliable protection against session fixation attacks
The term ‘Session Fixation vulnerability’ subsumes issues in Web applications that under certain circumstances enable the adversary to perform a Session Hijacking attack through controlling the victim’s session identifier value. A successful attack allows the attacker to fully impersonate the victim towards the vulnerable Web application. We analyse the vulnerability pattern and identify its root cause in the separation of concerns between the application logic, which is responsible for the authentication processes, and the framework support, which handles the task of session tracking. Based on this result, we present and discuss three distinct server-side measures for mitigating Session Fixation vulnerabilities. Each of our countermeasures is tailored to suit a specific real-life scenario that might be encountered by the operator of a vulnerable Web application.
Martin Johns, Bastian Braun, Michael Schrank, Joac
Added 17 Sep 2011
Updated 17 Sep 2011
Type Journal
Year 2011
Where SAC
Authors Martin Johns, Bastian Braun, Michael Schrank, Joachim Posegga
Comments (0)