{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,1]],"date-time":"2026-02-01T10:47:42Z","timestamp":1769942862367,"version":"3.49.0"},"reference-count":40,"publisher":"Association for Computing Machinery (ACM)","issue":"3","license":[{"start":{"date-parts":[[2015,6,12]],"date-time":"2015-06-12T00:00:00Z","timestamp":1434067200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"Italian Ministry of University and Research (MIUR) Projects PON TETRis"},{"name":"PON ADAPT"},{"name":"Italian Ministry of Economic Development Project MOTUS"},{"name":"PRIN CINA"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Web"],"published-print":{"date-parts":[[2015,6,20]]},"abstract":"Browser-based defenses have recently been advocated as an effective mechanism to protect potentially insecure web applications against the threats of session hijacking, fixation, and related attacks. In existing approaches, all such defenses ultimately rely on client-side heuristics to automatically detect cookies containing session information, to then protect them against theft or otherwise unintended use. While clearly crucial to the effectiveness of the resulting defense mechanisms, these heuristics have not, as yet, undergone any rigorous assessment of their adequacy. In this article, we conduct the first such formal assessment, based on a ground truth of 2,464 cookies we collect from 215 popular websites of the Alexa ranking.<\/jats:p>\n \n To obtain the ground truth, we devise a semiautomatic procedure that draws on the novel notion of\n authentication token<\/jats:italic>\n , which we introduce to capture multiple web authentication schemes. We test existing browser-based defenses in the literature against our ground truth, unveiling several pitfalls both in the heuristics adopted and in the methods used to assess them. We then propose a new detection method based on\n supervised learning<\/jats:italic>\n , where our ground truth is used to train a set of binary classifiers, and report on experimental evidence that our method outperforms existing proposals. Interestingly, the resulting classifiers, together with our hands-on experience in the construction of the ground truth, provide new insight on how web authentication is actually implemented in practice.\n <\/jats:p>","DOI":"10.1145\/2754933","type":"journal-article","created":{"date-parts":[[2015,6,12]],"date-time":"2015-06-12T18:26:28Z","timestamp":1434133588000},"page":"1-30","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":21,"title":["A Supervised Learning Approach to Protect Client Authentication on the Web"],"prefix":"10.1145","volume":"9","author":[{"given":"Stefano","family":"Calzavara","sequence":"first","affiliation":[{"name":"Universit\u00e0 Ca\u2019 Foscari Venezia, Venezia Mestre (Italy)"}]},{"given":"Gabriele","family":"Tolomei","sequence":"additional","affiliation":[{"name":"Universit\u00e0 Ca\u2019 Foscari Venezia; Yahoo Labs, London UK"}]},{"given":"Andrea","family":"Casini","sequence":"additional","affiliation":[{"name":"Universit\u00e0 Ca\u2019 Foscari Venezia, Venezia Mestre (Italy)"}]},{"given":"Michele","family":"Bugliesi","sequence":"additional","affiliation":[{"name":"Universit\u00e0 Ca\u2019 Foscari Venezia, Venezia Mestre (Italy)"}]},{"given":"Salvatore","family":"Orlando","sequence":"additional","affiliation":[{"name":"Universit\u00e0 Ca\u2019 Foscari Venezia, Venezia Mestre (Italy)"}]}],"member":"320","published-online":{"date-parts":[[2015,6,12]]},"reference":[{"key":"e_1_2_1_1_1","volume-title":"International Conference on Very Large Data Bases (VLDB\u201994)","author":"Agrawal Rakesh","year":"1994","unstructured":"Rakesh Agrawal and Ramakrishnan Srikant . 1994 . Fast algorithms for mining association rules . In International Conference on Very Large Data Bases (VLDB\u201994) . 487--499. Rakesh Agrawal and Ramakrishnan Srikant. 1994. Fast algorithms for mining association rules. In International Conference on Very Large Data Bases (VLDB\u201994). 487--499."},{"key":"e_1_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.csda.2007.08.015"},{"key":"e_1_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1023\/A:1010933404324"},{"key":"e_1_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1023\/A:1022607123649"},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-04897-0_11"},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSF.2014.33"},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/2566486.2568047"},{"key":"e_1_2_1_8_1","volume-title":"Data Mining and Knowledge Discovery Handbook","author":"Chawla Nitesh V.","unstructured":"Nitesh V. Chawla . 2005. Data mining for imbalanced datasets: An overview . In Data Mining and Knowledge Discovery Handbook . Springer , 853--867. Nitesh V. Chawla. 2005. Data mining for imbalanced datasets: An overview. In Data Mining and Knowledge Discovery Handbook. Springer, 853--867."},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/2220352.2220353"},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-11747-3_2"},{"key":"e_1_2_1_11_1","volume-title":"European Symposium on Research in Computer Security (ESORICS\u201911)","author":"Ryck Philippe De","year":"2011","unstructured":"Philippe De Ryck , Lieven Desmet , Wouter Joosen , and Frank Piessens . 2011 . Automatic and precise client-side protection against CSRF attacks . In European Symposium on Research in Computer Security (ESORICS\u201911) . 100--116. Philippe De Ryck, Lieven Desmet, Wouter Joosen, and Frank Piessens. 2011. Automatic and precise client-side protection against CSRF attacks. In European Symposium on Research in Computer Security (ESORICS\u201911). 100--116."},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-30823-9_5"},{"key":"e_1_2_1_13_1","volume-title":"Pattern Recognition: A Statistical Approach","author":"Devyver P. A.","year":"1982","unstructured":"P. A. Devyver and J. Kittler . 1982 . Pattern Recognition: A Statistical Approach . Prentice-Hall . P. A. Devyver and J. Kittler. 1982. Pattern Recognition: A Statistical Approach. Prentice-Hall."},{"key":"e_1_2_1_14_1","volume-title":"21th USENIX Security Symposium. 317--331","author":"Dietz Michael","unstructured":"Michael Dietz , Alexei Czeskis , Dirk Balfanz , and Dan S. Wallach . 2012. Origin-bound certificates: A fresh approach to strong client authentication for the web . In 21th USENIX Security Symposium. 317--331 . Michael Dietz, Alexei Czeskis, Dirk Balfanz, and Dan S. Wallach. 2012. Origin-bound certificates: A fresh approach to strong client authentication for the web. In 21th USENIX Security Symposium. 317--331."},{"key":"e_1_2_1_15_1","volume-title":"17th International Joint Conference on Artificial Intelligence. 973--978","author":"Elkan Charles","year":"2001","unstructured":"Charles Elkan . 2001 . The foundations of cost-sensitive learning . In 17th International Joint Conference on Artificial Intelligence. 973--978 . Charles Elkan. 2001. The foundations of cost-sensitive learning. In 17th International Joint Conference on Artificial Intelligence. 973--978."},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/1242572.1242661"},{"key":"e_1_2_1_17_1","volume-title":"Petkov","author":"Fogie Seth","year":"2007","unstructured":"Seth Fogie , Jeremiah Grossman , Robert Hansen , Anton Rager , and Petko D . Petkov . 2007 . XSS Attacks: Cross Site Scripting Exploits and Defense. Syngress Publishing . Seth Fogie, Jeremiah Grossman, Robert Hansen, Anton Rager, and Petko D. Petkov. 2007. XSS Attacks: Cross Site Scripting Exploits and Defense. Syngress Publishing."},{"key":"e_1_2_1_18_1","series-title":"Cryptographic Series","volume-title":"The Index of Coincidence and Its Applications to Cryptanalysis","author":"Friedman William F.","unstructured":"William F. Friedman . 1922. The Index of Coincidence and Its Applications to Cryptanalysis . Cryptographic Series . William F. Friedman. 1922. The Index of Coincidence and Its Applications to Cryptanalysis. Cryptographic Series."},{"key":"e_1_2_1_19_1","volume-title":"10th USENIX Security Symposium.","author":"Fu Kevin","year":"2001","unstructured":"Kevin Fu , Emil Sit , Kendra Smith , and Nick Feamster . 2001 . The Dos and Don\u2019ts of client authentication on the web . In 10th USENIX Security Symposium. Kevin Fu, Emil Sit, Kendra Smith, and Nick Feamster. 2001. The Dos and Don\u2019ts of client authentication on the web. In 10th USENIX Security Symposium."},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1162\/neco.1992.4.1.1"},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2009.02.037"},{"key":"e_1_2_1_22_1","doi-asserted-by":"crossref","unstructured":"Jeff Hodges Collin Jackson and Adam Barth. 2012. HTTP Strict Transport Security. Retrieved from http:\/\/tools.ietf.org\/html\/rfc6797. Jeff Hodges Collin Jackson and Adam Barth. 2012. HTTP Strict Transport Security. Retrieved from http:\/\/tools.ietf.org\/html\/rfc6797.","DOI":"10.17487\/rfc6797"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/1367497.1367569"},{"key":"e_1_2_1_24_1","volume-title":"An Introduction to Statistical Learning: With Applications in R","author":"James Gareth","unstructured":"Gareth James , Daniela Witten , Trevor Hastie , and Robert Tibshirani . 2014. An Introduction to Statistical Learning: With Applications in R . Springer . Gareth James, Daniela Witten, Trevor Hastie, and Robert Tibshirani. 2014. An Introduction to Statistical Learning: With Applications in R. Springer."},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.3233\/IDA-2002-6504"},{"key":"e_1_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/1982185.1982511"},{"key":"e_1_2_1_27_1","volume-title":"OWASP Europe Conference. 5--17","author":"Johns Martin","year":"2006","unstructured":"Martin Johns and Justus Winter . 2006 . RequestRodeo: Client side protection against session riding . In OWASP Europe Conference. 5--17 . Martin Johns and Justus Winter. 2006. RequestRodeo: Client side protection against session riding. In OWASP Europe Conference. 5--17."},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2015.23162"},{"key":"e_1_2_1_29_1","volume-title":"Advanced Engineering Mathematics (4 ed.)","author":"Kreyszig E.","unstructured":"E. Kreyszig . 1979. Advanced Engineering Mathematics (4 ed.) . Wiley . E. Kreyszig. 1979. Advanced Engineering Mathematics (4 ed.). Wiley."},{"key":"e_1_2_1_30_1","volume-title":"Machine Learning (1 ed.)","author":"Mitchell Thomas M.","unstructured":"Thomas M. Mitchell . 1997. Machine Learning (1 ed.) . McGraw-Hill , New York . Thomas M. Mitchell. 1997. Machine Learning (1 ed.). McGraw-Hill, New York."},{"key":"e_1_2_1_31_1","doi-asserted-by":"crossref","unstructured":"Nick Nikiforakis Wannes Meert Yves Younan Martin Johns and Wouter Joosen. 2011. SessionShield: Lightweight protection against session hijacking. In Engineering Secure Software and Systems (ESSoS\u201911). 87--100. Nick Nikiforakis Wannes Meert Yves Younan Martin Johns and Wouter Joosen. 2011. SessionShield: Lightweight protection against session hijacking. In Engineering Secure Software and Systems (ESSoS\u201911). 87--100.","DOI":"10.1007\/978-3-642-19125-1_7"},{"key":"e_1_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1162\/153244304322972694"},{"key":"e_1_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.7763\/IJMLC.2013.V3.307"},{"key":"e_1_2_1_34_1","volume-title":"USENIX Conference on Networked Systems Design and Implementation (NSDI\u201912)","author":"Roesner Franziska","year":"2012","unstructured":"Franziska Roesner , Tadayoshi Kohno , and David Wetherall . 2012 . Detecting and defending against third-party tracking on the web . In USENIX Conference on Networked Systems Design and Implementation (NSDI\u201912) . 1--14. Franziska Roesner, Tadayoshi Kohno, and David Wetherall. 2012. Detecting and defending against third-party tracking on the web. In USENIX Conference on Networked Systems Design and Implementation (NSDI\u201912). 1--14."},{"key":"e_1_2_1_35_1","volume-title":"Introduction to Modern Information Retrieval","author":"Salton G.","unstructured":"G. Salton and M. J. McGill . 1986. Introduction to Modern Information Retrieval . McGraw-Hill , New York . G. Salton and M. J. McGill. 1986. Introduction to Modern Information Retrieval. McGraw-Hill, New York."},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1002\/j.1538-7305.1948.tb01338.x"},{"key":"e_1_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.25"},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/2046707.2046777"},{"key":"e_1_2_1_39_1","unstructured":"Gary M. Weiss Kate McCarthy and Bibi Zabar. 2007. Cost-Sensitive Learning vs. Sampling: Which is Best for Handling Unbalanced Classes with Unequal Error Costs? Retrieved from http:\/\/storm.cis.fordham.edu\/gweiss\/papers\/dmin07-weiss.pdf. Gary M. Weiss Kate McCarthy and Bibi Zabar. 2007. Cost-Sensitive Learning vs. Sampling: Which is Best for Handling Unbalanced Classes with Unequal Error Costs? Retrieved from http:\/\/storm.cis.fordham.edu\/gweiss\/papers\/dmin07-weiss.pdf."},{"key":"e_1_2_1_40_1","volume-title":"Security and Privacy Workshop (W2SP\u201910)","author":"Zhou Yuchen","year":"2010","unstructured":"Yuchen Zhou and David Evans . 2010 . Why aren\u2019t HTTP-Only cookies more widely deployed. In Web 2.0 Security and Privacy Workshop (W2SP\u201910) . Yuchen Zhou and David Evans. 2010. Why aren\u2019t HTTP-Only cookies more widely deployed. In Web 2.0 Security and Privacy Workshop (W2SP\u201910)."}],"container-title":["ACM Transactions on the Web"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2754933","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2754933","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T06:16:40Z","timestamp":1750227400000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2754933"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2015,6,12]]},"references-count":40,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2015,6,20]]}},"alternative-id":["10.1145\/2754933"],"URL":"https:\/\/doi.org\/10.1145\/2754933","relation":{},"ISSN":["1559-1131","1559-114X"],"issn-type":[{"value":"1559-1131","type":"print"},{"value":"1559-114X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2015,6,12]]},"assertion":[{"value":"2014-10-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2015-03-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2015-06-12","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}