![Page 1: HTTP session management and secure session overview](https://reader033.vdocument.in/reader033/viewer/2022061116/5466b872b4af9f06758b4b7e/html5/thumbnails/1.jpg)
PRESENTATION ON
HTTP Session Management and
Secure Session Overview
1
By – Prasanna DeshpandeSagar Sanjay SaneAmeya KulkarniAkshay Navgire
![Page 2: HTTP session management and secure session overview](https://reader033.vdocument.in/reader033/viewer/2022061116/5466b872b4af9f06758b4b7e/html5/thumbnails/2.jpg)
CONTENTS
Overview of HTTP Concept of a HTTP Session Session Management and its methods Attacks on Session Management Good Session Management Overview of SSL TLS HTTPS Conclusion References
2
![Page 3: HTTP session management and secure session overview](https://reader033.vdocument.in/reader033/viewer/2022061116/5466b872b4af9f06758b4b7e/html5/thumbnails/3.jpg)
WHAT IS HTTP?
Hyper Text Transfer Protocol Works on the Application layer of the Internet
model. Protocol used for the service known as World
Wide Web(WWW). Used for transferring the web documents
from server to the client. Uses the well known port number 80.
3
![Page 4: HTTP session management and secure session overview](https://reader033.vdocument.in/reader033/viewer/2022061116/5466b872b4af9f06758b4b7e/html5/thumbnails/4.jpg)
HOW DOES HTTP WORK?
Interaction between client and the server. It’s a dialog between two hosts using HTTP
Request and Response mechanism.
Client Server
Request
Response
4
![Page 5: HTTP session management and secure session overview](https://reader033.vdocument.in/reader033/viewer/2022061116/5466b872b4af9f06758b4b7e/html5/thumbnails/5.jpg)
STATELESSNESS OF HTTP
HTTP is termed as Stateless protocol. The server does not remember the previous
request made by the client. The advantage of a stateless protocol is that
hosts do not need to retain information about users between requests.
But in case of complex interaction between servers and clients, a previous history of requests should be known to the server.
5
![Page 6: HTTP session management and secure session overview](https://reader033.vdocument.in/reader033/viewer/2022061116/5466b872b4af9f06758b4b7e/html5/thumbnails/6.jpg)
A HTTP SESSION
Sessions are used to compensate with the stateless condition of the HTTP protocol.
A session allows storage of information that is associated with the client for the duration of the client's visit.
There is a unique identification string for each session called as Session ID(SID).
Used to make the HTTP stateful.
6
![Page 7: HTTP session management and secure session overview](https://reader033.vdocument.in/reader033/viewer/2022061116/5466b872b4af9f06758b4b7e/html5/thumbnails/7.jpg)
STATELESS SERVER
7
![Page 8: HTTP session management and secure session overview](https://reader033.vdocument.in/reader033/viewer/2022061116/5466b872b4af9f06758b4b7e/html5/thumbnails/8.jpg)
STATEFUL SERVER
8
![Page 9: HTTP session management and secure session overview](https://reader033.vdocument.in/reader033/viewer/2022061116/5466b872b4af9f06758b4b7e/html5/thumbnails/9.jpg)
SESSION MANAGEMENT.
Session management is the technique used by the web developer to make the stateless HTTP protocol support session state.
Thus session management is a mechanism to make a session ‘stateful’.
Session information is in the form of SID. SID is generated as a result of the first
request from the end user running a web browser.
9
![Page 10: HTTP session management and secure session overview](https://reader033.vdocument.in/reader033/viewer/2022061116/5466b872b4af9f06758b4b7e/html5/thumbnails/10.jpg)
METHODS FOR SESSION MANAGEMENT
URL rewriting.
Hidden form fields
Cookies.
10
![Page 11: HTTP session management and secure session overview](https://reader033.vdocument.in/reader033/viewer/2022061116/5466b872b4af9f06758b4b7e/html5/thumbnails/11.jpg)
URL BASED SESSION ID TRACKING
Also called as URL rewriting. Session ID information embedded in the URL. Makes use of HTTP GET method. Example http://somesite.com/Admin.php?
SessionID=1234567
11
![Page 12: HTTP session management and secure session overview](https://reader033.vdocument.in/reader033/viewer/2022061116/5466b872b4af9f06758b4b7e/html5/thumbnails/12.jpg)
HIDDEN POST FIELDS
Session ID information stored within the fields of a form and submitted to the application.
Makes use of the HTTP POST method. Session ID information would be embedded
within the form as a hidden field and submitted with the POST command.
12
![Page 13: HTTP session management and secure session overview](https://reader033.vdocument.in/reader033/viewer/2022061116/5466b872b4af9f06758b4b7e/html5/thumbnails/13.jpg)
CONTD..
Example: Embedded within the HTML of a page
<FORM METHOD=POST ACTION=”/cgi-bin/news.pl”> <INPUT TYPE=”hidden” NAME=”sessionid” VALUE=”IE60012219”> <INPUT TYPE=”hidden” NAME=”allowed” VALUE=”true”> <INPUT TYPE=”submit” NAME=”Read News Article”>
13
![Page 14: HTTP session management and secure session overview](https://reader033.vdocument.in/reader033/viewer/2022061116/5466b872b4af9f06758b4b7e/html5/thumbnails/14.jpg)
COOKIES
An HTTP cookie (usually called simply a cookie) is a packet of information sent by a server to a World Wide Web browser and then sent back by the browser each time it accesses that server.
It was first developed by Netscape to solve the problem of user tracking.
Cookies find use in areas like E-commerce Customized web portals Web site registration
14
![Page 15: HTTP session management and secure session overview](https://reader033.vdocument.in/reader033/viewer/2022061116/5466b872b4af9f06758b4b7e/html5/thumbnails/15.jpg)
COOKIE STRUCTURE
A cookie contains the following information:
A Name A Value A Expiry Date A Path Domain A Security Code
15
![Page 16: HTTP session management and secure session overview](https://reader033.vdocument.in/reader033/viewer/2022061116/5466b872b4af9f06758b4b7e/html5/thumbnails/16.jpg)
SETTING A COOKIE
Syntax for setting a cookiesetcookie([name string],[value string],[expires UNIX time stamp],[path string],[domain string],[name integer])
Example : Set-Cookie: sessionID=”IE60012219”;
path=”/”; domain=”www.example.com”; expires=”2003-06-01 00:00:00GMT”; version=0
16
![Page 17: HTTP session management and secure session overview](https://reader033.vdocument.in/reader033/viewer/2022061116/5466b872b4af9f06758b4b7e/html5/thumbnails/17.jpg)
MORE ON SESSION ID
Session IDs are used to track authentic users. Hence they should fulfill some criteria so that
they are not compromised which are Session ID randomness
Randomness Unpredictable Non reproducible
Session ID length Prevention against Brute Force attacks. Minimum length should be 50 random characters.
17
![Page 18: HTTP session management and secure session overview](https://reader033.vdocument.in/reader033/viewer/2022061116/5466b872b4af9f06758b4b7e/html5/thumbnails/18.jpg)
ATTACKS ON SESSION MANAGEMENT
Attacks focus on retrieving a valid session key.
These attacks are similar to SSN theft. Stealing session ID allows malicious user to
assume permissions of legitimate user. Session attacks consists of two major
categories : Session hijacking Session fixation
18
![Page 19: HTTP session management and secure session overview](https://reader033.vdocument.in/reader033/viewer/2022061116/5466b872b4af9f06758b4b7e/html5/thumbnails/19.jpg)
ATTACKS ON SESSION MANAGEMENT A) SESSION HIJACKING
Hijacking is process of acquiring valid session ID after it has been assigned.
Hijacking is carried out in 3 different ways : Prediction : occurs when malicious user realizes
that pattern exists between session IDs. Brute Force Attack : a malicious user repeatedly
tries numerous session IDs until he gets a valid one.
Interception : occurs when malicious user is able to extract data on network allowing to determine the SID.
19
![Page 20: HTTP session management and secure session overview](https://reader033.vdocument.in/reader033/viewer/2022061116/5466b872b4af9f06758b4b7e/html5/thumbnails/20.jpg)
SESSION FIXATION
This attack occurs because a malicious user is able to specify the session ID for a user’s session.
Permissive web applications will not assign a server generated session ID if the client has one already. The application adopts the one client presents.
To use this vulnerability attacker typically creates a link that sets the session identifier to a value they choose.
20
![Page 21: HTTP session management and secure session overview](https://reader033.vdocument.in/reader033/viewer/2022061116/5466b872b4af9f06758b4b7e/html5/thumbnails/21.jpg)
ATTACKS ON SESSION MANAGEMENT B) SESSION FIXATION
21
![Page 22: HTTP session management and secure session overview](https://reader033.vdocument.in/reader033/viewer/2022061116/5466b872b4af9f06758b4b7e/html5/thumbnails/22.jpg)
GOOD SESSION MANAGEMENT
22
![Page 23: HTTP session management and secure session overview](https://reader033.vdocument.in/reader033/viewer/2022061116/5466b872b4af9f06758b4b7e/html5/thumbnails/23.jpg)
GOOD SESSION MANAGEMENT MEASURES
Use of Strong Encryption on all Transmissions Store only Session ID on Client side Perform Sanity Checks to Detect Session
Hijacking Expire session after Inactivity Do not make Session IDs Viewable Select Good Session Identifier Prevent Cross-Site Scripting (XSS)
Vulnerabilities Force Server-side Session ID creation Double Check Critical Operations 23
![Page 24: HTTP session management and secure session overview](https://reader033.vdocument.in/reader033/viewer/2022061116/5466b872b4af9f06758b4b7e/html5/thumbnails/24.jpg)
GOOD SESSION MANAGEMENT MEASURES
Provide Secure Logout Securely Store the Server side session map Expire the pages ( to Prevent Caching) Make the Session ID Dynamic with Hijack
Attempt Detection Require Re-Authentication after Maximum
Login Limit Check SSL client Certificate ( if possible ) Verify Domain before Accepting Cookie-based
Session IDs Restrict Cookie Path 24
![Page 25: HTTP session management and secure session overview](https://reader033.vdocument.in/reader033/viewer/2022061116/5466b872b4af9f06758b4b7e/html5/thumbnails/25.jpg)
BAD EXAMPLES
Browser flaws Bad Session IDs Predictable Session IDs Unencrypted Sessions Cross site Scripting (XSS) vulnerabilities Session Fixation
25
![Page 26: HTTP session management and secure session overview](https://reader033.vdocument.in/reader033/viewer/2022061116/5466b872b4af9f06758b4b7e/html5/thumbnails/26.jpg)
SSL OVERVIEW
Secure Sockets Layer. Developed by Netscape in 1995. Provided a mechanism to have a secure
transaction on the web. Makes the use of digital certificates signed by
a trusted third party Certificate Authority(CA) provided to the server.
Consists of 2 sub protocols for :- SSL connection establishment. Data Transmission
26
![Page 27: HTTP session management and secure session overview](https://reader033.vdocument.in/reader033/viewer/2022061116/5466b872b4af9f06758b4b7e/html5/thumbnails/27.jpg)
SSL CONNECTION ESTABLISHMENT
27
![Page 28: HTTP session management and secure session overview](https://reader033.vdocument.in/reader033/viewer/2022061116/5466b872b4af9f06758b4b7e/html5/thumbnails/28.jpg)
DATA TRANSMISSION USING SSL
28
![Page 29: HTTP session management and secure session overview](https://reader033.vdocument.in/reader033/viewer/2022061116/5466b872b4af9f06758b4b7e/html5/thumbnails/29.jpg)
SHORTCOMINGS OF SSL
SSL uses RC4 which gives rise to keys which can be easily cryptoanalyzed and compromised.
Slower
Possible mismatch in the keys used to match the X.509 certificates.
29
![Page 30: HTTP session management and secure session overview](https://reader033.vdocument.in/reader033/viewer/2022061116/5466b872b4af9f06758b4b7e/html5/thumbnails/30.jpg)
TLS
Transport Layer Security protocol. Successor of SSL. Operates at the transport layer. Used with HTTP to form HTTPS to provide
secure transactions. Involves 3 key phases
1. Peer negotiation for algorithm support.2. Key exchange and authentication3. Symmetric cipher encryption and message
authentication
30
![Page 31: HTTP session management and secure session overview](https://reader033.vdocument.in/reader033/viewer/2022061116/5466b872b4af9f06758b4b7e/html5/thumbnails/31.jpg)
HTTPS
HTTP Secure. Used to secure traffic on WWW. Combination of HTTP and a cryptographic
protocol(generally TLS). Port no 443 by default. Application areas:
E-commerce. Asset management.
31
![Page 32: HTTP session management and secure session overview](https://reader033.vdocument.in/reader033/viewer/2022061116/5466b872b4af9f06758b4b7e/html5/thumbnails/32.jpg)
CONCLUSIONS
Secure Session Management is critical to the security of web based applications.
Importance of secure session management cant be undermined.
As the trend is to have an unwired access to the Internet(WLAN),there is a need to constantly evolve the existing session management techniques.
32
![Page 33: HTTP session management and secure session overview](https://reader033.vdocument.in/reader033/viewer/2022061116/5466b872b4af9f06758b4b7e/html5/thumbnails/33.jpg)
REFERENCES
Secure Session Management by Luke Murphey.
Web Based Session Management by Gunter Ollmann.
www.wikipedia .org Computer Networks by Andrew Tanenbaum.
33
![Page 34: HTTP session management and secure session overview](https://reader033.vdocument.in/reader033/viewer/2022061116/5466b872b4af9f06758b4b7e/html5/thumbnails/34.jpg)
34