ABSTRACT

As we are getting more dependent on web applications to perform our daily activities, web session is becoming a lucrative target for hackers. When a user is authenticated to access an application over the Internet, a session is established. Typically, a session may include a randomly generated token as well as contextual information to relate the status of a user at the server side (e.g., logged in, not logged in). The session is sent to the client side, and further communication between the client and server sides is performed based on the established session token information. Unfortunately, identifying or stealing session tokens is still prevalent among deployed web applications. Thus, hackers are able to take over web applications and perform unauthorized activities without the knowledge of a victim just by stealing or altering a web session. Traditional network-based defense techniques

Contents 19.1 Introduction ................................................................................................................... 390 19.2 Overview of Web Sessions ...............................................................................................391