PRESENTATION ON

HTTP Session Management

and
Secure Session Overview

By –
1 Prasanna Deshpande
Sagar Sanjay Sane
Ameya Kulkarni
Akshay Navgire
CONTENTS
 Overview of HTTP
 Concept of a HTTP Session

 Session Management and its methods

 Attacks on Session Management

 Good Session Management

 Overview of SSL

 TLS

 HTTPS

 Conclusion

 References
2
WHAT IS HTTP?
 Hyper Text Transfer Protocol
 Works on the Application layer of the Internet
model.
 Protocol used for the service known as World
Wide Web(WWW).
 Used for transferring the web documents
from server to the client.
 Uses the well known port number 80.

3
HOW DOES HTTP WORK?
 Interaction between client and the server.
 It’s a dialog between two hosts using HTTP
Request and Response mechanism.

Request

Response
Client Serve
4
r
STATELESSNESS OF HTTP
 HTTP is termed as Stateless protocol.
 The server does not remember the previous
request made by the client.
 The advantage of a stateless protocol is that
hosts do not need to retain information about
users between requests.
 But in case of complex interaction between
servers and clients, a previous history of
requests should be known to the server.

5
A HTTP SESSION
 Sessions are used to compensate with the
stateless condition of the HTTP protocol.
 A session allows storage of information that
is associated with the client for the duration
of the client's visit.
 There is a unique identification string for
each session called as Session ID(SID).
 Used to make the HTTP stateful.

6
STATELESS SERVER

7
STATEFUL SERVER

8
SESSION MANAGEMENT.
 Session management is the technique used
by the web developer to make the stateless
HTTP protocol support session state.
 Thus session management is a mechanism to
make a session ‘stateful’.
 Session information is in the form of SID.

 SID is generated as a result of the first

request from the end user running a web
browser.

9
METHODS FOR SESSION
MANAGEMENT
 URL rewriting.

 Hidden form fields

 Cookies.

10
URL BASED SESSION ID TRACKING
 Also called as URL rewriting.
 Session ID information embedded in the URL.

 Makes use of HTTP GET method.

 Example

http://somesite.com/Admin.php?SessionID=12
34567

11
HIDDEN POST FIELDS
 Session ID information stored within the
fields of a form and submitted to the
application.
 Makes use of the HTTP POST method.

 Session ID information would be embedded

within the form as a hidden field and
submitted with the POST command.

12
CONTD..

Example: Embedded within the HTML of a page

<FORM METHOD=POST ACTION=”/cgi-

bin/news.pl”>
<INPUT TYPE=”hidden” NAME=”sessionid”
VALUE=”IE60012219”>
<INPUT TYPE=”hidden” NAME=”allowed”
VALUE=”true”>
<INPUT TYPE=”submit” NAME=”Read News
Article”>
13
COOKIES
 An HTTP cookie (usually called simply a
cookie) is a packet of information sent by a
server to a World Wide Web browser and
then sent back by the browser each time it
accesses that server.
 It was first developed by Netscape to solve
the problem of user tracking.
 Cookies find use in areas like
 E-commerce
 Customized web portals
 Web site registration
14
COOKIE STRUCTURE
A cookie contains the following information:

A Name
A Value
A Expiry Date
A Path Domain
A Security Code

15
SETTING A COOKIE
Syntax for setting a cookie
setcookie([name string],[value
string],[expires UNIX time stamp],[path
string],[domain string],[name integer])

Example :
Set-Cookie: sessionID=”IE60012219”;
path=”/”; domain=”www.example.com”;
expires=”2003-06-01 00:00:00GMT”;
version=0
16
MORE ON SESSION ID
 Session IDs are used to track authentic users.
 Hence they should fulfill some criteria so that
they are not compromised which are
 Session ID randomness
 Randomness
 Unpredictable

 Non reproducible

 Session ID length
 Prevention against Brute Force attacks.
 Minimum length should be 50 random characters.

17
ATTACKS ON SESSION MANAGEMENT

 Attacks focus on retrieving a valid session

key.
 These attacks are similar to SSN theft.

 Stealing session ID allows malicious user to

assume permissions of legitimate user.
 Session attacks consists of two major
categories :
 Session hijacking
 Session fixation

18
ATTACKS ON SESSION MANAGEMENT
A) SESSION HIJACKING

 Hijacking is process of acquiring valid

session ID after it has been assigned.
 Hijacking is carried out in 3 different ways :
 Prediction : occurs when malicious user realizes
that pattern exists between session IDs.
 Brute Force Attack : a malicious user repeatedly
tries numerous session IDs until he gets a valid
one.
 Interception : occurs when malicious user is able
to extract data on network allowing to determine
the SID.
19
SESSION FIXATION
 This attack occurs because a malicious user
is able to specify the session ID for a user’s
session.
 Permissive web applications will not assign a
server generated session ID if the client has
one already. The application adopts the one
client presents.
 To use this vulnerability attacker typically
creates a link that sets the session identifier
to a value they choose.

20
ATTACKS ON SESSION MANAGEMENT
B) SESSION FIXATION

21
GOOD SESSION MANAGEMENT

22
GOOD SESSION MANAGEMENT
MEASURES

 Use of Strong Encryption on all Transmissions

 Store only Session ID on Client side

 Perform Sanity Checks to Detect Session

Hijacking
 Expire session after Inactivity

 Do not make Session IDs Viewable

 Select Good Session Identifier

 Prevent Cross-Site Scripting (XSS)

Vulnerabilities
 Force Server-side Session ID creation
23
 Double Check Critical Operations
GOOD SESSION MANAGEMENT
MEASURES
 Provide Secure Logout
 Securely Store the Server side session map

 Expire the pages ( to Prevent Caching)

 Make the Session ID Dynamic with Hijack

Attempt Detection
 Require Re-Authentication after Maximum
Login Limit
 Check SSL client Certificate ( if possible )

 Verify Domain before Accepting Cookie-based

Session IDs
 Restrict Cookie Path 24
BAD EXAMPLES

 Browser flaws
 Bad Session IDs

 Predictable Session IDs

 Unencrypted Sessions

 Cross site Scripting (XSS) vulnerabilities

 Session Fixation

25
SSL OVERVIEW

 Secure Sockets Layer.

 Developed by Netscape in 1995.

 Provided a mechanism to have a secure

transaction on the web.
 Makes the use of digital certificates signed by
a trusted third party Certificate Authority(CA)
provided to the server.
 Consists of 2 sub protocols for :-
 SSL connection establishment.
 Data Transmission

26
SSL CONNECTION ESTABLISHMENT

27
DATA TRANSMISSION USING SSL

28
SHORTCOMINGS OF SSL

 SSL uses RC4 which gives rise to keys which

can be easily cryptoanalyzed and
compromised.

 Slower

 Possible mismatch in the keys used to match

the X.509 certificates.

29
TLS
 Transport Layer Security protocol.
 Successor of SSL.

 Operates at the transport layer.

 Used with HTTP to form HTTPS to provide

secure transactions.
 Involves 3 key phases

1. Peer negotiation for algorithm support.

2. Key exchange and authentication
3. Symmetric cipher encryption and message
authentication
30
HTTPS
 HTTP Secure.
 Used to secure traffic on WWW.

 Combination of HTTP and a cryptographic

protocol(generally TLS).
 Port no 443 by default.

 Application areas:
 E-commerce.
 Asset management.

31
CONCLUSIONS

 Secure Session Management is critical to the

security of web based applications.
 Importance of secure session management
cant be undermined.
 As the trend is to have an unwired access to
the Internet(WLAN),there is a need to
constantly evolve the existing session
management techniques.

32
REFERENCES

 Secure Session Management by Luke

Murphey.
 Web Based Session Management by Gunter
Ollmann.
 www.wikipedia .org

 Computer Networks by Andrew Tanenbaum.

33
34