The approaches described in this section could be pursued, but are not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
In a typical authenticated HyperText Transfer Protocol (HTTP) session, a client is required to present authentication credentials such as, for example, a username/password or some other authentication certificate in order to gain access to resources provided by an HTTP server. At the end of the authentication phase, the client is given an authentication cookie that is used to verify the HTTP requests sent by the client during the HTTP session. Typically, a client can concurrently open multiple Transmission Control Protocol (TCP) connections to send HTTP requests to the HTTP server during an active authenticated HTTP session. The client includes the authentication cookie for the session with each HTTP request sent on any of the TCP connections.
It is possible for an adversary to use malicious code to obtain an authentication cookie that is stored on a client, and thereafter to use the authentication cookie in order to gain unauthorized access by masquerading as the legitimate client. This type of attack, in which an unauthorized entity obtains an authentication cookie from a legitimate client and uses the cookie to gain unauthorized access, is referred to herein as a “stolen cookie attack.” For example, the adversary may use some sort of phishing attack to gain access to the cookie file stored at the client and to read any authentication cookies stored therein, or use a network sniffer to intercept the messages sent on clear-text transport connections. Once the adversary obtains an authentication cookie, the adversary can gain unauthorized access by masquerading as the legitimate client since the cookie is used to keep track of the authentication state of the client.
Although the above stolen cookie attack scenario is presented herein for HTTP sessions, it is noted that this attack scenario is not unique to sessions established over the HTTP protocol. Rather, the above attack scenario is possible for any application, presentation, and/or session layer protocol that allows authenticated sessions over a transport layer protocol.