Friday, January 21, 2011

HTTP Session Tracking Mechanism and the Security

HTTP is a stateless session protocol, meaning that if there is no session tracking mechanism, the server will not be able to track user if user submit multiple HTTP requests.

In order for the Server to track a user, there are four approaches.


The following table describes each approach and the security impact of the approach:

 

Session Tracking Mechanism

Description

When to Use

Security

Use Hidden Fields

The HTML hidden fields are used to track user's unique session ID

Rarely used in Session Tracking due to security concerns

This is not a secure method as the hidden fields can be intercepted by the hacker

Use URL Rewriting

With URL rewriting, every local URL the user might click on is dynamically modified, or rewritten, to include extra information. The extra information can be in the form of extra path information, added parameters, or some custom, server-specific URL change. Due to the limited space available in rewriting a URL, the extra information is usually limited to a unique session ID

If the user browser disable cookie, then this is one of the best alternative method

Can cause session fixation attack or man in the middle attack due to session id being exposed.

Use persistent Cookie

A cookie that is intended to maintain information over more than one browser session.

If the application needs to track user for more than one session. This is widely used in some shopping and news websites to track user's preference

Persistent cookie can cause privacy and security concerns if the cookie saved in persistent storage such as file system or database is revealed to a hacker.

Use Session Cookie

A cookie that is intended to be used only in the browser session in which it is created.

To track user's ID within one session and is widely used by most commercial website.

Compared with all other approaches, this approach has been proved to be a little bit more secure although it still faces session hijacking and Cookie poisoning attacks. http://en.wikipedia.org/wiki/HTTP_cookie

 

No comments:

Post a Comment