How to prevent session hijacking

Although session hijacking is basically a client security issue, most attacks can be detected on the server side. This article describes how Airlock helps to protect web applications against session hijacking.

Session tracking on Airlock

By default, Airlock recognizes http requests of the same browser/user with a session-id in a cookie.

As an alternative mechanism, HTTPS sessions may be tied to the SSL session-id instead (option Track sessions based on SSL session ID on configuration page Session settings). An SSL session-id is much harder to reuse than a http cookie. A drawback of this solution is that some clients may have to re-login very frequently (due to a short SSL session timeout in their browser/operating system). Another problem is introduced by forward proxies that share ssl sessions among the users: This leads to inadvertent "session sharing" between those users; Airlock can therefore no longer distinguish different users.

Cookie stealing and session hijacking

If an attacker is able to steal the session cookie, he can pretend to be the same user, or hijack the session during its lifetime. An attacker can therefore send requests (or issue transactions) in the name of the user until either the session times out or the user manually terminates the session by clicking some logout button. Airlock mitigates this threat by using a separate session cookie for HTTPS requests, using SSL to transport the token, clearing the token when the session ends, and causing the token to expire after a period of client inactivity. Additionally, current browsers try to protect all cookies ("same-origin policy").

Client vs. server side security

Nowadays, the best chance for attackers to steal session cookies is by installing malicious software on the client (viruses, worms, trojan horses, spyware etc.) [1]. This "malware" can easily steal the cookie and either send http requests directly from the infected machine or forward the cookie to another system controlled by the attacker.
Please note that the infection itself can only be prevented by client security measures like a personal firewall, Spyware-, Virus- and Trojan-Scanners. Some remote access solutions with so-called "clientless security" features claim to enforce that such protection software is active and up-to-date. In practice however, they are a viable solution for controlled client environments only, but they are not suited for public websites, B2C or e-Business solutions.

In order to maximize the protection on the server side, Airlock offers countermeasers to detect and prevent session hijacking:

• An intelligent engine fingerprints all requests of a session by not only tracking the IP address and SSL session id, but also by analyzing the http headers. Each change (e.g. different http header order) adds penalty points to the session, which is terminated as soon as the sum exceeds a configurable limit. For more details, consult the article Prevent Session Hijacking with HTTP Client Fingerprints (prior 4.2.6) or Client Fingerprinting configuration (since 4.2.6) .

Conclusion

Secure session tracking should not rely on either cookies or ssl session-ids alone, but rather a combination of these two plus many more factors. Airlock detects and prevents session hijacking by continuously checking this fingerprint of a users requests.

References

[1] MELANI, Swiss Federal Adminstration: Hacker attacks on the increase