New Journal Paper available – Measuring Web Session Security at Scale
The Web is built on the shoulders of HTTP, a stateless protocol for transferring hypertext. Modern and complex web applications keep track of a user's state within so-called web sessions.
A session usually starts either when a user connects or logs in to a website. Logging in usually promotes a session to access sensitive functionality and data. At last, a web server may destroy a session after an expiration time or when a user logs out. In all of these stages, the security of session management plays an important role, as flaws may lead to the leakage of credentials, the exposure of personally identifiable information or lengthen the time frame for possible attacks unnecessarily. In this paper, we report on the state of session security on more than 6000 websites. We assess the widespread of well-known security flaws for all stages in the lifecycle of a web session: before logging in, logged in, and after logging out. Our findings show that a substantial portion of sites suffer from well-known vulnerabilities or follow insecure practices. Which one these are and how to protect against them is discussed in length in our paper. A pre-print version can be downloaded here.
About the authors: This is a joint work of Stefano Calzavara (University Ca' Foscari), Hugo Jonker (OU NL), Benjamin Krumnow (OU NL & TH Köln), and Alvise Rabitti (University Ca' Foscari). Benjamin Krumnow is a PhD candidate at the Open University and employed by the TH Köln. In the Web Science programme, he teaches Web Architectures, Risks and Opportunities of Social Media Data, and Web Trust.
October 2021