Chinmay Soman : 2011 Security Workshop


Monday, April 11, 2011
Location: Fisher Conference Center, Arrillaga Alumni Center

"SessionJuggler: Secure Web Login From an Untrusted Terminal Using Session Hijacking"
3:15pm - 3:45pm


In this work we show how secure web login can be achieved on an untrusted terminal by performing session hijacking. While there are many proposals for securing a login from an untrusted terminal, they all require either server-side changes or terminal-side changes. We explore a new web user authentication mechanism called SessionJuggler that enables user to login without ever entering a long-term credential on the insecure terminal. SessionJuggler requires no server-side changes and assumes no special software on the terminal beyond a modern web browser. Roughly speaking, with Session-Juggler users log in to a web site using a smartphone app and then transfer the entire session, including cookies and all other session state, to the terminal. The challenge is to ensure that this transfer - which looks like session hijacking - does not cause the web site to invalidate the session. We survey session hijacking defenses used by popular sites and explain how SessionJuggler bypasses all these defenses. Beyond session migration, SessionJuggler also provides a trusted logout mechanism where the trusted phone is used to kill the session.


I am a second year Masters student studying Computer Science at Stanford. I work under Prof. Dan Boneh as a research assistant on System and Internet security. I am specializing in the Systems track for my masters and have been involved with some other research projects over the past at Stanford (Prpl and Meru).