http session management and secure session overview
DESCRIPTION
The presentation gives brief idea about HTTP session management, threats to session management, and good ways to carry out sessionsTRANSCRIPT
PRESENTATION ON
HTTP Session Management and
Secure Session Overview
1
By – Prasanna DeshpandeSagar Sanjay SaneAmeya KulkarniAkshay Navgire
CONTENTS
Overview of HTTP Concept of a HTTP Session Session Management and its methods Attacks on Session Management Good Session Management Overview of SSL TLS HTTPS Conclusion References
2
WHAT IS HTTP?
Hyper Text Transfer Protocol Works on the Application layer of the Internet
model. Protocol used for the service known as World
Wide Web(WWW). Used for transferring the web documents
from server to the client. Uses the well known port number 80.
3
HOW DOES HTTP WORK?
Interaction between client and the server. It’s a dialog between two hosts using HTTP
Request and Response mechanism.
Client Server
Request
Response
4
STATELESSNESS OF HTTP
HTTP is termed as Stateless protocol. The server does not remember the previous
request made by the client. The advantage of a stateless protocol is that
hosts do not need to retain information about users between requests.
But in case of complex interaction between servers and clients, a previous history of requests should be known to the server.
5
A HTTP SESSION
Sessions are used to compensate with the stateless condition of the HTTP protocol.
A session allows storage of information that is associated with the client for the duration of the client's visit.
There is a unique identification string for each session called as Session ID(SID).
Used to make the HTTP stateful.
6
STATELESS SERVER
7
STATEFUL SERVER
8
SESSION MANAGEMENT.
Session management is the technique used by the web developer to make the stateless HTTP protocol support session state.
Thus session management is a mechanism to make a session ‘stateful’.
Session information is in the form of SID. SID is generated as a result of the first
request from the end user running a web browser.
9
METHODS FOR SESSION MANAGEMENT
URL rewriting.
Hidden form fields
Cookies.
10
URL BASED SESSION ID TRACKING
Also called as URL rewriting. Session ID information embedded in the URL. Makes use of HTTP GET method. Example http://somesite.com/Admin.php?
SessionID=1234567
11
HIDDEN POST FIELDS
Session ID information stored within the fields of a form and submitted to the application.
Makes use of the HTTP POST method. Session ID information would be embedded
within the form as a hidden field and submitted with the POST command.
12
CONTD..
Example: Embedded within the HTML of a page
<FORM METHOD=POST ACTION=”/cgi-bin/news.pl”> <INPUT TYPE=”hidden” NAME=”sessionid” VALUE=”IE60012219”> <INPUT TYPE=”hidden” NAME=”allowed” VALUE=”true”> <INPUT TYPE=”submit” NAME=”Read News Article”>
13
COOKIES
An HTTP cookie (usually called simply a cookie) is a packet of information sent by a server to a World Wide Web browser and then sent back by the browser each time it accesses that server.
It was first developed by Netscape to solve the problem of user tracking.
Cookies find use in areas like E-commerce Customized web portals Web site registration
14
COOKIE STRUCTURE
A cookie contains the following information:
A Name A Value A Expiry Date A Path Domain A Security Code
15
SETTING A COOKIE
Syntax for setting a cookiesetcookie([name string],[value string],[expires UNIX time stamp],[path string],[domain string],[name integer])
Example : Set-Cookie: sessionID=”IE60012219”;
path=”/”; domain=”www.example.com”; expires=”2003-06-01 00:00:00GMT”; version=0
16
MORE ON SESSION ID
Session IDs are used to track authentic users. Hence they should fulfill some criteria so that
they are not compromised which are Session ID randomness
Randomness Unpredictable Non reproducible
Session ID length Prevention against Brute Force attacks. Minimum length should be 50 random characters.
17
ATTACKS ON SESSION MANAGEMENT
Attacks focus on retrieving a valid session key.
These attacks are similar to SSN theft. Stealing session ID allows malicious user to
assume permissions of legitimate user. Session attacks consists of two major
categories : Session hijacking Session fixation
18
ATTACKS ON SESSION MANAGEMENT A) SESSION HIJACKING
Hijacking is process of acquiring valid session ID after it has been assigned.
Hijacking is carried out in 3 different ways : Prediction : occurs when malicious user realizes
that pattern exists between session IDs. Brute Force Attack : a malicious user repeatedly
tries numerous session IDs until he gets a valid one.
Interception : occurs when malicious user is able to extract data on network allowing to determine the SID.
19
SESSION FIXATION
This attack occurs because a malicious user is able to specify the session ID for a user’s session.
Permissive web applications will not assign a server generated session ID if the client has one already. The application adopts the one client presents.
To use this vulnerability attacker typically creates a link that sets the session identifier to a value they choose.
20
ATTACKS ON SESSION MANAGEMENT B) SESSION FIXATION
21
GOOD SESSION MANAGEMENT
22
GOOD SESSION MANAGEMENT MEASURES
Use of Strong Encryption on all Transmissions Store only Session ID on Client side Perform Sanity Checks to Detect Session
Hijacking Expire session after Inactivity Do not make Session IDs Viewable Select Good Session Identifier Prevent Cross-Site Scripting (XSS)
Vulnerabilities Force Server-side Session ID creation Double Check Critical Operations 23
GOOD SESSION MANAGEMENT MEASURES
Provide Secure Logout Securely Store the Server side session map Expire the pages ( to Prevent Caching) Make the Session ID Dynamic with Hijack
Attempt Detection Require Re-Authentication after Maximum
Login Limit Check SSL client Certificate ( if possible ) Verify Domain before Accepting Cookie-based
Session IDs Restrict Cookie Path 24
BAD EXAMPLES
Browser flaws Bad Session IDs Predictable Session IDs Unencrypted Sessions Cross site Scripting (XSS) vulnerabilities Session Fixation
25
SSL OVERVIEW
Secure Sockets Layer. Developed by Netscape in 1995. Provided a mechanism to have a secure
transaction on the web. Makes the use of digital certificates signed by
a trusted third party Certificate Authority(CA) provided to the server.
Consists of 2 sub protocols for :- SSL connection establishment. Data Transmission
26
SSL CONNECTION ESTABLISHMENT
27
DATA TRANSMISSION USING SSL
28
SHORTCOMINGS OF SSL
SSL uses RC4 which gives rise to keys which can be easily cryptoanalyzed and compromised.
Slower
Possible mismatch in the keys used to match the X.509 certificates.
29
TLS
Transport Layer Security protocol. Successor of SSL. Operates at the transport layer. Used with HTTP to form HTTPS to provide
secure transactions. Involves 3 key phases
1. Peer negotiation for algorithm support.2. Key exchange and authentication3. Symmetric cipher encryption and message
authentication
30
HTTPS
HTTP Secure. Used to secure traffic on WWW. Combination of HTTP and a cryptographic
protocol(generally TLS). Port no 443 by default. Application areas:
E-commerce. Asset management.
31
CONCLUSIONS
Secure Session Management is critical to the security of web based applications.
Importance of secure session management cant be undermined.
As the trend is to have an unwired access to the Internet(WLAN),there is a need to constantly evolve the existing session management techniques.
32
REFERENCES
Secure Session Management by Luke Murphey.
Web Based Session Management by Gunter Ollmann.
www.wikipedia .org Computer Networks by Andrew Tanenbaum.
33
34