SessionJuggler: Secure Web Login From an Untrusted Terminal Using Session Hijacking

Authors: E. Bursztein, C. Soman, D. Boneh, and J. Mitchell

We use modern features of web browsers to develop a secure login system from an untrusted terminal. The system, called SessionJuggler, requires no server-side changes and no special software on the terminal beyond a modern web browser. This important property makes adoption much easier than with previous proposals. With SessionJuggler users never enter their long term credential on the untrusted terminal. Instead, users log in to a web site using a smartphone app and then transfer the entire session, including cookies and all other session state, to the untrusted terminal. We show that SessionJuggler works on all the Alexa top 100 sites (except three because the Android browser is not able to render them). We also show that SessionJuggler works flawlessly with Facebook connect. Beyond login, SessionJuggler also provides a secure logout mechanism where the trusted phone is used to kill the session. To validate the session juggling concept we conducted a number of web site surveys that are of independent interest. First, we survey how web sites bind a session token to a specific device and show that most use fairly basic techniques that are easily defeated. Second, we survey how web sites handle logout and show that many popular sites surprisingly do not properly handle logout requests.

In Proceedings of the 21st International World Wide Web conference (WWW), 2012, ACM Press, pp. 321-330.

Full paper: pdf         [first posted 7/2012 ]