Beruflich Dokumente
Kultur Dokumente
By –
1 Prasanna Deshpande
Sagar Sanjay Sane
Ameya Kulkarni
Akshay Navgire
CONTENTS
Overview of HTTP
Concept of a HTTP Session
Overview of SSL
TLS
HTTPS
Conclusion
References
2
WHAT IS HTTP?
Hyper Text Transfer Protocol
Works on the Application layer of the Internet
model.
Protocol used for the service known as World
Wide Web(WWW).
Used for transferring the web documents
from server to the client.
Uses the well known port number 80.
3
HOW DOES HTTP WORK?
Interaction between client and the server.
It’s a dialog between two hosts using HTTP
Request and Response mechanism.
Request
Response
Client Serve
4
r
STATELESSNESS OF HTTP
HTTP is termed as Stateless protocol.
The server does not remember the previous
request made by the client.
The advantage of a stateless protocol is that
hosts do not need to retain information about
users between requests.
But in case of complex interaction between
servers and clients, a previous history of
requests should be known to the server.
5
A HTTP SESSION
Sessions are used to compensate with the
stateless condition of the HTTP protocol.
A session allows storage of information that
is associated with the client for the duration
of the client's visit.
There is a unique identification string for
each session called as Session ID(SID).
Used to make the HTTP stateful.
6
STATELESS SERVER
7
STATEFUL SERVER
8
SESSION MANAGEMENT.
Session management is the technique used
by the web developer to make the stateless
HTTP protocol support session state.
Thus session management is a mechanism to
make a session ‘stateful’.
Session information is in the form of SID.
9
METHODS FOR SESSION
MANAGEMENT
URL rewriting.
Cookies.
10
URL BASED SESSION ID TRACKING
Also called as URL rewriting.
Session ID information embedded in the URL.
Example
http://somesite.com/Admin.php?SessionID=12
34567
11
HIDDEN POST FIELDS
Session ID information stored within the
fields of a form and submitted to the
application.
Makes use of the HTTP POST method.
12
CONTD..
A Name
A Value
A Expiry Date
A Path Domain
A Security Code
15
SETTING A COOKIE
Syntax for setting a cookie
setcookie([name string],[value
string],[expires UNIX time stamp],[path
string],[domain string],[name integer])
Example :
Set-Cookie: sessionID=”IE60012219”;
path=”/”; domain=”www.example.com”;
expires=”2003-06-01 00:00:00GMT”;
version=0
16
MORE ON SESSION ID
Session IDs are used to track authentic users.
Hence they should fulfill some criteria so that
they are not compromised which are
Session ID randomness
Randomness
Unpredictable
Non reproducible
Session ID length
Prevention against Brute Force attacks.
Minimum length should be 50 random characters.
17
ATTACKS ON SESSION MANAGEMENT
18
ATTACKS ON SESSION MANAGEMENT
A) SESSION HIJACKING
20
ATTACKS ON SESSION MANAGEMENT
B) SESSION FIXATION
21
GOOD SESSION MANAGEMENT
22
GOOD SESSION MANAGEMENT
MEASURES
Browser flaws
Bad Session IDs
Unencrypted Sessions
Session Fixation
25
SSL OVERVIEW
26
SSL CONNECTION ESTABLISHMENT
27
DATA TRANSMISSION USING SSL
28
SHORTCOMINGS OF SSL
Slower
29
TLS
Transport Layer Security protocol.
Successor of SSL.
Application areas:
E-commerce.
Asset management.
31
CONCLUSIONS
32
REFERENCES
33
34