Http Session Management And Secure Session Overview

PRESENTATION ON HTTP Session Management and Secure Session Overview

1

By – Prasanna Deshpande Sagar Sanjay Sane Ameya Kulkarni Akshay Navgire

CONTENTS Overview of HTTP  Concept of a HTTP Session  Session Management and its methods  Attacks on Session Management  Good Session Management  Overview of SSL  TLS  HTTPS  Conclusion  References 

2

WHAT IS HTTP? Hyper Text Transfer Protocol  Works on the Application layer of the Internet model.  Protocol used for the service known as World Wide Web(WWW).  Used for transferring the web documents from server to the client.  Uses the well known port number 80. 

3

HOW DOES HTTP WORK? Interaction between client and the server.  It’s a dialog between two hosts using HTTP Request and Response mechanism. 

Request

Client

Response

Serve r

4

STATELESSNESS OF HTTP HTTP is termed as Stateless protocol.  The server does not remember the previous request made by the client.  The advantage of a stateless protocol is that hosts do not need to retain information about users between requests.  But in case of complex interaction between servers and clients, a previous history of requests should be known to the server. 

5

A HTTP SESSION Sessions are used to compensate with the stateless condition of the HTTP protocol.  A session allows storage of information that is associated with the client for the duration of the client's visit.  There is a unique identification string for each session called as Session ID(SID).  Used to make the HTTP stateful. 

6

STATELESS SERVER

7

STATEFUL SERVER

8

SESSION MANAGEMENT. Session management is the technique used by the web developer to make the stateless HTTP protocol support session state.  Thus session management is a mechanism to make a session ‘stateful’.  Session information is in the form of SID.  SID is generated as a result of the first request from the end user running a web browser. 

9

METHODS FOR SESSION MANAGEMENT 

URL rewriting.



Hidden form fields



Cookies.

10

URL BASED SESSION ID TRACKING Also called as URL rewriting.  Session ID information embedded in the URL.  Makes use of HTTP GET method.  Example 

http://somesite.com/Admin.php?SessionID=12 34567

11

HIDDEN POST FIELDS Session ID information stored within the fields of a form and submitted to the application.  Makes use of the HTTP POST method.  Session ID information would be embedded within the form as a hidden field and submitted with the POST command. 

12

CONTD.. Example: Embedded within the HTML of a page

13

COOKIES An HTTP cookie (usually called simply a cookie) is a packet of information sent by a server to a World Wide Web browser and then sent back by the browser each time it accesses that server.  It was first developed by Netscape to solve the problem of user tracking.  Cookies find use in areas like 

 E-commerce  Customized

web portals  Web site registration 14

COOKIE STRUCTURE A cookie contains the following information: A A A A A 

Name Value Expiry Date Path Domain Security Code

15

SETTING A COOKIE Syntax for setting a cookie setcookie([name string],[value string],[expires UNIX time stamp],[path string],[domain string],[name integer]) Example : Set-Cookie: sessionID=”IE60012219”; path=”/”; domain=”www.example.com”; expires=”2003-06-01 00:00:00GMT”; version=0 16

MORE ON SESSION ID Session IDs are used to track authentic users.  Hence they should fulfill some criteria so that they are not compromised which are 

 Session

ID randomness

Randomness  Unpredictable  Non reproducible 

 Session

ID length

Prevention against Brute Force attacks.  Minimum length should be 50 random characters. 

17

ATTACKS ON SESSION MANAGEMENT Attacks focus on retrieving a valid session key.  These attacks are similar to SSN theft.  Stealing session ID allows malicious user to assume permissions of legitimate user.  Session attacks consists of two major categories : 

 Session

hijacking  Session fixation 18

ATTACKS ON SESSION MANAGEMENT A) SESSION HIJACKING

Hijacking is process of acquiring valid session ID after it has been assigned.  Hijacking is carried out in 3 different ways : 

 Prediction

: occurs when malicious user realizes that pattern exists between session IDs.  Brute Force Attack : a malicious user repeatedly tries numerous session IDs until he gets a valid one.  Interception : occurs when malicious user is able to extract data on network allowing to determine the SID. 19

SESSION FIXATION This attack occurs because a malicious user is able to specify the session ID for a user’s session.  Permissive web applications will not assign a server generated session ID if the client has one already. The application adopts the one client presents.  To use this vulnerability attacker typically creates a link that sets the session identifier to a value they choose. 

20

ATTACKS ON SESSION MANAGEMENT B) SESSION FIXATION

21

GOOD SESSION MANAGEMENT

22

GOOD SESSION MANAGEMENT MEASURES Use of Strong Encryption on all Transmissions  Store only Session ID on Client side  Perform Sanity Checks to Detect Session Hijacking  Expire session after Inactivity  Do not make Session IDs Viewable  Select Good Session Identifier  Prevent Cross-Site Scripting (XSS) Vulnerabilities  Force Server-side Session ID creation  Double Check Critical Operations 

23

GOOD SESSION MANAGEMENT MEASURES Provide Secure Logout  Securely Store the Server side session map  Expire the pages ( to Prevent Caching)  Make the Session ID Dynamic with Hijack Attempt Detection  Require Re-Authentication after Maximum Login Limit  Check SSL client Certificate ( if possible )  Verify Domain before Accepting Cookie-based Session IDs  Restrict Cookie Path 

24

BAD EXAMPLES Browser flaws  Bad Session IDs  Predictable Session IDs  Unencrypted Sessions  Cross site Scripting (XSS) vulnerabilities  Session Fixation 

25

SSL OVERVIEW Secure Sockets Layer.  Developed by Netscape in 1995.  Provided a mechanism to have a secure transaction on the web.  Makes the use of digital certificates signed by a trusted third party Certificate Authority(CA) provided to the server.  Consists of 2 sub protocols for :

 SSL

connection establishment.  Data Transmission 26

SSL CONNECTION ESTABLISHMENT

27

DATA TRANSMISSION USING SSL

28

SHORTCOMINGS OF SSL 

SSL uses RC4 which gives rise to keys which can be easily cryptoanalyzed and compromised.



Slower



Possible mismatch in the keys used to match the X.509 certificates.

29

TLS Transport Layer Security protocol.  Successor of SSL.  Operates at the transport layer.  Used with HTTP to form HTTPS to provide secure transactions.  Involves 3 key phases 

Peer negotiation for algorithm support. 2. Key exchange and authentication 3. Symmetric cipher encryption and message authentication 1.

30

HTTPS HTTP Secure.  Used to secure traffic on WWW.  Combination of HTTP and a cryptographic protocol(generally TLS).  Port no 443 by default.  Application areas: 

 E-commerce.  Asset

management.

31

CONCLUSIONS Secure Session Management is critical to the security of web based applications.  Importance of secure session management cant be undermined.  As the trend is to have an unwired access to the Internet(WLAN),there is a need to constantly evolve the existing session management techniques. 

32

REFERENCES Secure Session Management by Luke Murphey.  Web Based Session Management by Gunter Ollmann.  www.wikipedia .org  Computer Networks by Andrew Tanenbaum. 

33

34