Session Hijacking-Protection

Session hijacking isn't new to computer security. The term is most commonly used to describe the process of a TCP connection taken over by a sequence prediction attack. In such an attack, the attacker gains control of an already established TCP connection. When applied to Web application security, session hijacking refers to the takeover of a Web application session.

HTTP is a stateless protocol with its origins in information dissemination. Clients request a particular resource, which eventually is delivered by the server hosting that particular resource. The goal of the World Wide Web in its early days was to provide a uniform medium of information dissemination via HTTP and rendering of the information via HTML. The information could also be cross-referenced by using hyperlinks. As time went by, servers were developed with the ability to handle dynamically generated content and execute programs that generated HTML. Soon enough, the need for interactivity increased. Because of its ability to handle text and graphics, the browser took the place of a universal client. Small-scale applications began to be hosted on Web servers with the use of CGI scripting, which extended the ability of universal participation to all Internet users who had a browser. No longer was an underlying operating system an issue. So long as you had a browser, you could use the application. Application development went from a central mainframe–terminal based concept to the client-server model, and back to the central Web server–browser based concept again.

These days, Web application servers host complex applications, such as an entire office productivity suite. Microsoft Outlook for the Web is an example of delivering a fully featured e-mail client over a Web browser. Lotus Domino servers provide a Web interface that lets users perform more or less the same tasks as can be performed via a Lotus Notes client.

All multiuser applications embody the concept of a user session. Each user interacts with the application via a separate user session. The application keeps track of all who are currently using the application via sessions. This capability is essential for segregating user activity.

Despite rapid changes in Web server technology, the HTTP protocol remained the same. Currently, HTTP 1.1 is still the most widely used HTTP protocol. The greatest hurdle in designing and hosting Web-based applications is to get around the statelessness of HTTP. There are no standards governing how a Web-based application should provide its own state-maintaining mechanism over HTTP. Developers tackle state preservation in different ways. There are poor and good ways of approaching this problem, although both approaches result in a workable application. The poor ways of implementing session states lead to attacks such as session hijacking.