Secure session management is a challenging problem for Web applications. In fact, three of the ten most critical security risks included in the OWASP top ten 2013 can lead to session hijacking attacks. Best practices advocate the transmission of the session identifiers over HTTPS. However, this approach does not solve the session problems, and can't be deployed on a wide range of HTTP-only applications. This paper presents a lightweight session management design deployed over HTTP, which allows much of the existing infrastructure of the web to remain unchanged, while at the same time strengthening authentication. Our work leverages the following key insights. (1) Users already have shared secrets with their web applications (e.g. password). (2) HTTPS is primarily used to protect the authentication information. (3) A secure session management should be built on a secure initial mutual authentication. Our proposed protocol guaranties the authenticity, confidentiality, integrity, and anti-reply of authentication credentials. © 2014 Springer International Publishing.
CITATION STYLE
Sadqi, Y., Asimi, A., & Asimi, Y. (2014). Short: A lightweight and secure session management protocol. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 8593 LNCS, pp. 319–323). Springer Verlag. https://doi.org/10.1007/978-3-319-09581-3_23
Mendeley helps you to discover research relevant for your work.