Browse > Article
http://dx.doi.org/10.3745/KTCCS.2015.4.1.31

A Defense Mechanism Based on Session Status against Cookie Replay Attack in Web Applications  

Won, Jong Sun (한국방송통신대학교 정보과학과)
Park, JiSu (고려대학교 정보창의교육연구소)
Shon, Jin Gon (한국방송통신대학교 컴퓨터과학과)
Publication Information
KIPS Transactions on Computer and Communication Systems / v.4, no.1, 2015 , pp. 31-36 More about this Journal
Abstract
As web accessibility has been easier, security issue becomes much more important in web applications demanding user authentication. Cookie is used to reduce the load of the server from the session in web applications and manage the user information efficiently. However, the cookie containing user information can be sniffed by an attacker. With this sniffed cookie, the attacker can retain the web application session of the lawful user as if the attacker is the lawful user. This kind of attack are called cookie replay attack and it causes serious security problems in web applications. In this paper, we have introduced a mechanism to detect cookie replay attacks and defend them, and verified effectiveness of the mechanism.
Keywords
Web Applications; Session; Cookie; Cookie Replay Attack; Security;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 WonTae Sim, YoHan Choi, HeeSuk Seo, and BongNam Noh, "A Storage Method to Enhance Cookie File Security", Journal of the Korea Society for Simulation, Vol.20, No.1, pp.29-37, 2011.   과학기술학회마을   DOI
2 DongHee Kim and JinTak Choi, "A Study on The Efficient Authentication Management Technique of SSO Foundation", Journal of the Korea Institute of Information Technology, Vol. 4, No.1, pp.55-63, 2009.
3 Aziz Baayer, Noudding Enneya, and Mohammed Elkoutbi, "Enhanced Timestamp Discrepancy to Limit Impact of Replay Attacks in MANETs", Journal of Information Security, pp.224-230, 2012.
4 D. E. Denning and G. M. Sacco, "Timestamps in Key Distribution Protocols", Magazine Communications of the ACM, Vol.24, No.8, 1981.
5 Leiba, Barry and Huawei Technologies, "OAuth Web Authorization Protocol", IEEE Internet Computing, Vol.16, No.1, pp.74-77, 2012.   DOI
6 John Trammel, Umit Yalcinalp, Andrei Kalfas, James Boag, and Dan Brotsky, "Device Token Protocol for Persistent Authentication Shared across Applications", First European Conference, ESOCC, pp.230-243, 2012.
7 Mojtaba Ayoubi Mobarhan, Mostafa Ayoubi Mobarhan, and Asadollah Shahbahrami, "Evaluation of Security Attacks on UMTS Authentication Mechanism", International Journal of Network Security & Its Applications(IJNSA), Vol.4, No.4, pp.37-52, 2012.   DOI
8 Item Dictionary, "Telecommunications Technology Asscociation", 2014, http://word.tta.or.kr/terms/terms.jsp (Accessed: 27 August 2014).
9 BokJae Cha, "Analysis of ICT terminology", 2014, http://www.ktword.co.kr/abbr_view.php (Accessed: 27 August 2014).
10 Wikipedia, "Replay attack-Wikipedia", 2014, http://en.wikipedia.org/wiki/Replay_attack (Accessed: 27 August 2014).
11 Activation of password-KISA, "Hash function-KISA", 2014, http://seed.kisa.or.kr/iwt/ko/intro/EgovHashFunction.do (Accessed: 28 August 2014).
12 OWASP, "Category:OWASP Top Ten Project", 2014, https://www.owasp.org/index.php/Category:OWASP_Top_ Ten_Project (Accessed: 31 August 2014).
13 MSDN, "HttpCookie.HttpOnly", 2014, http://msdn.microsoft.com/ ko-kr/library/system.web.httpcookie.httponly(v=vs.110).aspx (Accessed: 11 October 2014).