HTTP Cookies are the de facto mechanism for session authentication. However, cookies were not designed for such security functionality. By default, cookies can be easily disclosed on the network, allowing adversaries to execute session hijacking attacks with tools such as Firesheep and DroipSheep. In general, web applications have relied on HTTPS and the secure flag to prevent such attacks. However, configuration errors and attacks against HTTPS can still expose the cookies to an adversary. In addition, HTTPS can only protect cookies while traveling across the network; cookies can also be disclosed on the browser by a variety of attacks such as XSS, XST, related-domain, malware and other. In summary, due to their simple design, cookies are inherently weak session authenticators, requiring of additional mechanisms to protect them.
We propose One-Time Cookies (OTC), a more secure alternative to cookies for session authentication. Unlike cookies, OTC is secure by design. The main benefits of OTC are:
- OTC generates a unique token per request based on a session key. Each OTC token is tied to a particular request by using a Hash-based Message Authentication Code (HMAC). Thus, session hijacking attacks are not possible. In addition, OTC can protect the integrity of the of the user payload (e.g., POST form data).
- OTC uses encrypted tickets (like Kerberos) to avoid additional state in the web application. This property is important for web applications that rely on the REST architectural model (e.g., Google, Yahoo, Facebook).
- OTC credentials are securely stored and isolated from other browser components by default. Therefore, the many different attacks to steal cookies from the browser will no work against OTC.
- OTC credentials stored in the cannot be modified without knowledge of the session secret. This approach prevents session fixation and cookie clobbering attacks.
- Web applications can use both OTC and cookies for session authentication without security or functionality issues. Hence, OTC can be deployed incrementally to avoid affecting users.
- OTC is transparent to the user once its support is enabled in the browser (as an extension or as part of the browser itself).
- In general, adding OTC support in the web application is straightforward. OTC generation and verification functions just need to be added where equivalent cookie functions are used. As an example, look at our Wordpress plugin.
- OTC has similar performance requirements as cookies. Thus, not additional hardware or optimizations are required in the web application.
- OTC simplifies the security architecture of web applications by removing the risks of disclosing cookies accidentally or through attacks. In addition, web developers do not need to worry about using different combination of cookies and flags for secure session authentication.
- OTC and HTTPS are complementary security mechanisms. OTC can be enabled in addition to HTTPS to provide an additional layer of security if HTTPS fails. In addition, OTC can be a cheaper and simpler alternative to prevent session hijacking is a web application cannot afford moving to HTTPS-only communications.
Flow diagram of a web session using OTC. Messages 1 and 2 represent the user login transaction and require HTTPS protection. After user login, HTTPS is optional; each browser request includes a unique OTC token (message 3) to authenticate the request. Click here for a bigger image.
For more details about the OTC protocol, please check its technical report:
Italo Dacosta, Saurabh Chakradeo, Patrick Traynor and Mustaque Ahamad,One-Time Cookies: Preventing Session Hijacking Attacks with Disposable Credentials, SCS Technical Report ; GT-CS-11-04, Georgia Institute of Technology.
This plugin adds OTC support to Wordpress. Standard cookie authentication still works if the browser does not support OTC. The plugin has been tested with WordPress 3.3.x; however, it is an experimental prototype not designed for production environments. For installation, use the following steps:
- Download the OTC Wordpress plugin.
- Copy the wp_otc.php file to the Wordpress plugin directory:
[web root dir]/wordpress/wp-content/plugins
- Edit the wp_otc.php. Update the $domain PHP variable
with your domain name. For example, is your domain is example.com then:
$domain = ".example.com";
- In WordPress, login with administrator privileges and go to dashboard->plugins. The wp_otc plugin should appear in the list
of available plugins. Click on activate to enable OTC support in
WordPress. If you have not done it yet, download the Firefox OTC extension.
- That's all. You can say goodbye to HTTP session hijacking attacks!
This add-on provides OTC support to Firefox desktop browser (support for Firefox for mobile will be added soon). Activating OTC in Firefox will not affect standard cookie authentication with web sites that do not support OTC. This add-on has been tested with Firefox 9.x and 10.x; however, it is an experimental prototype not designed for production environments. For installation, use the following steps:
- Download the OTC add-on for Firefox.
- On Firefox, go to File->Open File (Mac OSX) or New
Tab->Open File (Windows) and select the otc.xpi file.
Follow Firefox add-on installation dialog
- The OTC button should appear on the right side of the Add-on
Bar at the bottom of the browser window. If you cannot see the
Add-on Bar, go to View->Toolbars (Mac OSX) or Options (Windows) and select the Add-on Bar.
- Click on the OTC button to activate it. It should turn green
once it is active. Click again on it to deactivate it, it should turn
back to grey.
- That's all. To view your browser's HTTP requests using OTC, you can
use the Live HTTP Headers Firefox add on or a network
sniffer such as Wireshark.
We have created a Wordpress demo website to evaluate OTC using the
Firefox add on. If you want to test it, please send me an email (see my contact
information) and I will be glad to create an account for you. Also,
comments and suggestions are appreciated
Please send any questions, comments and recomendations to idacosta 'at' gatech.edu
See my webpage for additional contact information. Thanks.