BibTeX
@MISC{Murdoch_hardenedstateless,
author = {Steven J. Murdoch},
title = {Hardened Stateless Session Cookies},
year = {}
}
Share
 |
 |
 |
 |
||
OpenURL
Abstract
Abstract. Stateless session cookies allow web applications to alter their behaviour based on user preferences and access rights, without maintaining server-side state for each session. This is desirable because it reduces the impact of denial of service attacks and eases database replication issues in load-balanced environments. The security of existing session cookie proposals depends on the server protecting the secrecy of a symmetric MAC key, which for engineering reasons is usually stored in a database, and thus at risk of accidental leakage or disclosure via application vulnerabilities. In this paper we show that by including a salted iterated hash of the user password in the database, and its pre-image in a session cookie, an attacker with read access to the server is unable to spoof an authenticated session. Even with knowledge of the server’s MAC key the attacker needs a user’s password, which is not stored on the server, to create a valid cookie. By extending an existing session cookie scheme, we maintain all the previous security guarantees, but also preserve security under partial compromise. 1
Keyphrases
stateless session cooky user password authenticated session previous security guarantee user preference accidental leakage session cookie scheme engineering reason session cookie web application access right database replication issue iterated hash server-side state application vulnerability load-balanced environment valid cookie service attack server mac partial compromise session cookie proposal symmetric mac key read access
