Measuring Web Session Security at Scale

Abstract Session management is a particularly delicate component of web applications, which might suffer from a range of severe security issues, including impersonation attacks. Unfortunately, the scope and significance of prior work on web session security in the wild are limited by the complexity of the attack surface and the challenges of automating the login process on existing websites. In the present article, we fill this gap by proposing the first comprehensive, large-scale web session security measurement based on post-login data. Our analysis is comprehensive in that it deals with all key aspects of web sessions, i.e., the login process, the logout process and the authentication cookie handling. Our automated approach analysed an extensive set of session management practices of over 6,000 sites where login was successful and authentication cookies could be automatically detected, uncovering a widespread adoption of insecure practices in the wild.