A Secure Session Management Based on Threat Modeling

Abstract

A session is a period of time linked to a user, which is initiated when he/she arrives at a web application and it ends when his/her browser is closed or after a certain time of inactivity. Attackers can hijack a user's session by exploiting session management vulnerabilities by means of session fixation and cross-site request forgery attacks. Very often, session IDs are not only identification tokens, but also authenticators. This means that upon login, users are authenticated based on their credentials (e.g., usernames/passwords or digital certificates) and issued session IDs that will effectively serve as temporary static passwords for accessing their sessions. This makes session IDs a very appealing target for attackers. In many cases, an attacker who manages to obtain a valid ID of user’s session can use it to directly enter that session – often without arising user’s suspicion. A secure session management must be implemented in the development phase of web applications because it is the responsibility of the web application, and not the underlying web server. Threat modeling is a systematic process that is used to identify threats and vulnerabilities in software and has become popular technique to help system designers think about the security threats that their system might face. In this paper we design the threat modeling for session’s ID threat by using SeaMonster security modeling software, and then propose a secure session management that avoids the vulnerabilities. The proposed secure session management is designed to give trust authentication between the client and the server to avoid session hijacing attack by using both: server session’s ID and MAC address of the client.Visual Studio. Net 2008 is used in implementing the proposed system.