SecSess: keeping your session tucked away in your browser

Session management is a crucial component in every modern web application. It links subsequent requests and temporary stateful information together, enabling a rich and interactive user experience. Unfortunately, the de facto standard cookie-based session management mechanism is imperfect, which is why session management vulnerabilities rank second in the OWASP top 10 of web application vulnerabilities [18]. While improved session management mechanisms have been proposed, none of them achieves compatibility with currently deployed applications or infrastructure components such as web caches. We propose SecSess, a lightweight session management mechanism that addresses common session management vulnerabilities by ensuring a session remains under control of the parties that established it. SecSess is fully interchangeable with the currently deployed cookie-based session management, and can be gradually deployed to clients and servers through an opt-in mechanism. Evaluation of our proof-of-concept implementation shows that SecSess introduces only a minimal performance and networking overhead. Furthermore, we empirically show that SecSess is effectively compatible with commonly used web caches, in contrast to alternative approaches.