Three Tier Verification Technique to foil session sidejacking attempts

Abstract

Session sidejacking is the term used to describe the theft of cookies used to authenticate the user to a web server. Session sidejacking attack is a form of session hijacking where the hacker uses packet sniffers to listen to the traffic between the client and server to steal the session cookie. Most of the websites use Hypertext Transfer Protocol Secure (HTTPS) only for Login purpose in order to protect the user name and password. However they revert back to Hypertext Transfer Protocol (HTTP) after this and all the cookies which are used to authenticate the user are sent to the server over an unsecure HTTP connection. Any hacker listening to this network using a packet sniffer can copy the cookies and use them to impersonate the victim and carry out activities on his behalf. Though the hacker won't know the password of the victim but he can still act on victim's behalf. A three tier session verification technique which is impervious to Session sidejacking is being proposed here. This technique allows the use of HTTP protocol and still protects the users from session sidejacking, however it assumes that the server uses a secure HTTPS connection for login purposes to avoid transmission of password in the clear. This technique uses a feature of Hyper Text Markup Language Version 5 (HTML5) called “local storage” to overcome the vulnerabilities of cookies and it foils any attempt to sidejack a session. This technique can be implemented using server side logic and client-side JavaScript.