People's Newsroom


SecSess, a proposal to fundamentally address the security problems of bearer token-related session management mechanisms in the presence of Web attackers and passive/active network attackers. SecSess effectively prevents the transfer of a session without authorization, by introducing an integrity check to the HTTP requests, based on a shared secret. We have designed SecSess to be compatible with currently deployed middleboxes on the Web, such as Web caches or perimeter security devices, a feature that is lacking from related proposals.

The main contribution of SecSess is a simple session management mechanism that addresses the fundamental threat of an unauthorized session transfer. SecSess achieves this security property by determining a shared secret between server and browser during the session establishment phase. The integrity of each request is validated using the shared secret associated with the established session. This effectively prevents the attacker from taking over the session, as he does not know the shared secret, or from fixating the session, as he cannot transfer his shared secret to the user’s browser. SecSess is compatible with current deployment scenarios on the Web, which often use a mixture of HTTP and HTTPS channels, as well as a variety of middleboxes deployed throughout the network infrastructure.

Even though widespread TLS deployment remains the optimal deployment strategy, with which SecSess is fully compatible, the current state of practice shows that full TLS deployment across the Web may be a utopian dream. Therefore, we envision the upgrading of the HTTP session management mechanism within the current movement towards improving the security of the default plaintext channel, with techniques such as opportunistic encryption being proposed to be included in the upcoming HTTP/2.0 specification.


Session management is a crucial component in every modern Web application. It links multiple requests and temporary stateful information together, enabling a rich and interactive user experience. Unfortunately, the de facto standard cookie-based session management mechanism is imperfect, which is why session management vulnerabilities rank second in the OWASP top 10 of Web application vulnerabilities. While improved session management mechanisms have been proposed, none of them achieves compatibility with currently deployed applications or infrastructure components such as Web caches.

SecSess, a lightweight session management mechanism that addresses common session management vulnerabilities by ensuring a session remains under the control of the parties that established it. SecSess is fully interchangeable with the currently deployed cookie-based session management and can be gradually deployed to clients and servers through an opt-in mechanism. Evaluation of our proof-of-concept implementation shows that SecSess introduces only a minimal performance and networking overhead. Furthermore, we empirically show that SecSess is effectively compatible with commonly used Web caches, in contrast to alternative approaches.

At the heart of a successful attack against session management lies an unauthorized session transfer. The most prominent example of such an unauthorized transfer is a session hijacking attack, where the attacker steals a session identifier assigned to the user. A session hijacking attack can be carried out through different attack vectors, for example by injecting JavaScript code to exfiltrate the session identifier, or by eavesdropping on the network traffic, where the session cookie can be read from plaintext HTTP traffic. The enabler of such session transfer attacks is the use of the session identifier in current session management mechanisms. The session identifier acts as a bearer token, and the mere presence of this identifier in a cookie attached to the request suffices for legitimizing the request within the session.

Current best practices for preventing session transfer attacks advocate an HTTPS-only deployment combined with the HttpOnly and Secure cookie flags. Such a deployment only transmits the session cookie over an encrypted channel and prevents the cookie from being accessed through JavaScript. While the benefits of HTTPS deployments are evident, wide-scale adoption on the Web is impeded by several intricacies. One often-cited issue is the performance impact, an argument that has lost most of its relevance on modern hardware. Second, HTTPS deployments are disproportionately more complex compared to HTTP deployments, putting a significant burden on system administrators. Examples of such complexities are creating keys, monitoring and renewing certificates, dealing with browser-approved certificate authorities, preventing mixed-content warnings, and deploying shared hosting using TLS’s Server Name Indication extension if supported by the client.

Additional to the complexity of deploying HTTPS, a wide-scale transition to HTTPS severely obstructs the operation of the so-called middleboxes, machines in between the endpoints that cache, inspect or modify traffic. These middleboxes are essential parts of the Web infrastructure, for example by bringing the Web to developing nations through extensive caching and enabling efficient video transmission on mobile phone networks. We acknowledge that wide-scale deployment of HTTPS remains imperative for securing the Web, but also recognize the long and tedious process. This explains why the recent revelations about pervasive monitoring on the Web have sparked multiple proposals looking to transparently upgrade the security properties of the HTTP channel when supported by the endpoints. One prominent proposal is to negotiate an encrypted HTTP channel without verifying the entities’ authentication, which is even proposed as one of the available modes in the upcoming HTTP/2.0 specification. This eagerness to improve the security properties of the HTTP protocol, even by introducing them into the new version, shows that the HTTP protocol will be around for the near future. Therefore, it makes sense to not only upgrade the network-level protocol properties but also take the opportunity to improve the security properties of session management on top of the HTTP protocol.

SecSess, a lightweight session management mechanism that effectively eradicates the bearer token properties of the session identifier in current cookie-based session management mechanisms. SecSess is fully interchangeable with the current cookie-based workflows and can be enabled on an opt-in basis, supporting a gradual migration path. Additionally, SecSess incurs only a minimal computational and network overhead, carefully avoiding the introduction of additional requests and roundtrips. To our knowledge, SecSess is the only session management mechanism explicitly designed to be compatible with currently deployed Web infrastructure, such as the popular Web caches.

Back to top button