SERENE: Self-reliant client-side protection against session fixation

17Citations
Citations of this article
20Readers
Mendeley users who have this article in their library.

Abstract

The web is the most wide-spread and de facto distributed platform, with a plethora of valuable applications and services. Building stateful services on the web requires a session mechanism that keeps track of server-side session state, such as authentication data. These sessions are an attractive attacker target, since taking over an authenticated session fully compromises the user's account. This paper focuses on session fixation, where an attacker forces the user to use the attacker's session, allowing the attacker to take over the session after authentication. We present Serene, a self-reliant client-side countermeasure that protects the user from session fixation attacks, regardless of the security provisions - or lack thereof - of a web application. By specifically protecting session identifiers from fixation and not interfering with other cookies or parameters, Serene is able to autonomously protect a large majority of web applications, without being disruptive towards legitimate functionality. We experimentally validate these claims with a large scale study of Alexa's top one million sites, illustrating both Serene's large coverage (83.43%) and compatibility (95.55%). © 2012 IFIP International Federation for Information Processing.

Cite

CITATION STYLE

APA

De Ryck, P., Nikiforakis, N., Desmet, L., Piessens, F., & Joosen, W. (2012). SERENE: Self-reliant client-side protection against session fixation. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 7272 LNCS, pp. 59–72). https://doi.org/10.1007/978-3-642-30823-9_5

Register to see more suggestions

Mendeley helps you to discover research relevant for your work.

Already have an account?

Save time finding and organizing research with Mendeley

Sign up for free