Measuring Web Session Security at Scale

Session management is a particularly delicate component of web applications, which might suffer from a range of severe security issues, including impersonation attacks. Unfortu-nately, the scope and significance of prior work on web session security in the wild are limited by the complexity of the attack surface and the challenges of automating the lo-gin process on existing websites. In the present article, we fill this gap by proposing the first comprehensive, large-scale web session security measurement based on post-login data. Our analysis is comprehensive in that it deals with all key aspects of web sessions, i.e., the lo-gin process, the logout process and the authentication cookie handling. Our automated ap-proach analysed an extensive set of session management practices of over 6,000 sites where login was successful and authentication cookies could be automatically detected, uncover-ing a widespread adoption of insecure practices in the wild. (c) 2021 Elsevier Ltd. All rights reserved.