{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,3]],"date-time":"2026-05-03T11:01:21Z","timestamp":1777806081063,"version":"3.51.4"},"reference-count":30,"publisher":"SAGE Publications","issue":"2","license":[{"start":{"date-parts":[[2018,10,23]],"date-time":"2018-10-23T00:00:00Z","timestamp":1540252800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/journals.sagepub.com\/page\/policies\/text-and-data-mining-license"}],"content-domain":{"domain":["journals.sagepub.com"],"crossmark-restriction":true},"short-container-title":["Journal of Computer Security"],"published-print":{"date-parts":[[2019,3,29]]},"abstract":"<jats:p>Since cookies act as the only proof of a user identity, web sessions are particularly vulnerable to session hijacking attacks, where the browser run by a given user sends requests associated to the identity of another user. When [Formula: see text] cookies are used to implement a session, there might actually be n sub-sessions running at the same website, where each cookie is used to retrieve part of the state information related to the session. Sub-session hijacking breaks the ideal view of the existence of a unique user session by selectively hijacking m sub-sessions, with [Formula: see text]. This may reduce the security of the session to the security of its weakest sub-session. In this paper, we take a systematic look at the root causes of sub-session hijacking attacks and we introduce sub-session linking as a possible defense mechanism. Out of two flavors of sub-session linking desirable for security, which we call intra-scope and inter-scope sub-session linking respectively, only the former is relatively smooth to implement. Luckily, we also identify programming practices to void the need for inter-scope sub-session linking. We finally present Warden, a server-side proxy which automatically enforces intra-scope sub-session linking on incoming HTTP(S) requests, and we evaluate it in terms of protection, performances, backward compatibility and ease of deployment.<\/jats:p>","DOI":"10.3233\/jcs-181149","type":"journal-article","created":{"date-parts":[[2018,10,23]],"date-time":"2018-10-23T17:48:35Z","timestamp":1540316915000},"page":"233-257","update-policy":"https:\/\/doi.org\/10.1177\/sage-journals-update-policy","source":"Crossref","is-referenced-by-count":8,"title":["Sub-session hijacking on the web: Root causes and prevention"],"prefix":"10.1177","volume":"27","author":[{"given":"Stefano","family":"Calzavara","sequence":"first","affiliation":[{"name":"Dipartimento di Scienze Ambientali, Informatica e Statistica, Universit\u00e0 Ca\u2019 Foscari Venezia, Italy. E-mails:\u00a0,\u00a0,\u00a0"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Alvise","family":"Rabitti","sequence":"additional","affiliation":[{"name":"Dipartimento di Scienze Ambientali, Informatica e Statistica, Universit\u00e0 Ca\u2019 Foscari Venezia, Italy. E-mails:\u00a0,\u00a0,\u00a0"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Michele","family":"Bugliesi","sequence":"additional","affiliation":[{"name":"Dipartimento di Scienze Ambientali, Informatica e Statistica, Universit\u00e0 Ca\u2019 Foscari Venezia, Italy. E-mails:\u00a0,\u00a0,\u00a0"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"179","published-online":{"date-parts":[[2018,10,23]]},"reference":[{"key":"ref001","doi-asserted-by":"crossref","unstructured":"B.\u00a0Adida, Sessionlock: Securing web sessions against eavesdropping, in: Proceedings of the 17th International Conference on World Wide Web, WWW 2008, Beijing, China, April 21\u201325, 2008, 2008, pp.\u00a0517\u2013524.","DOI":"10.1145\/1367497.1367568"},{"key":"ref002","doi-asserted-by":"crossref","unstructured":"A.Barth, HTTP State Management Mechanism, 2011.","DOI":"10.17487\/rfc6265"},{"key":"ref003","doi-asserted-by":"crossref","unstructured":"A.\u00a0Barth, C.\u00a0Jackson and J.C.\u00a0Mitchell, Robust defenses for cross-site request forgery, in: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008, 2008, pp.\u00a075\u201388.","DOI":"10.1145\/1455770.1455782"},{"key":"ref004","unstructured":"A.\u00a0Bortz, A.\u00a0Barth and A.\u00a0Czeskis, Origin cookies: Session integrity for web applications, in: Web 2.0 Security & Privacy Workshop (W2SP 2011), 2011."},{"key":"ref005","doi-asserted-by":"crossref","unstructured":"M.\u00a0Bugliesi, S.\u00a0Calzavara and R.\u00a0Focardi, Formal methods for web security, Journal of Logical and Algebraic Methods in Programming (2017).","DOI":"10.1016\/j.jlamp.2016.08.006"},{"key":"ref006","doi-asserted-by":"publisher","DOI":"10.3233\/JCS-150529"},{"key":"ref007","doi-asserted-by":"crossref","unstructured":"M.\u00a0Bugliesi, S.\u00a0Calzavara, R.\u00a0Focardi, W.\u00a0Khan and M.\u00a0Tempesta, Provably sound browser-based enforcement of web session integrity, in: Proceedings of the IEEE 27th Computer Security Foundations Symposium, CSF 2014, 2014, pp.\u00a0366\u2013380.","DOI":"10.1109\/CSF.2014.33"},{"key":"ref008","doi-asserted-by":"crossref","unstructured":"A.\u00a0Cahn, S.\u00a0Alfeld, P.\u00a0Barford and S.\u00a0Muthukrishnan, An empirical study of web cookies, in: Proceedings of the 25th International Conference on World Wide Web, WWW 2016, Montreal, Canada, April 11\u201315, 2016, 2016, pp.\u00a0891\u2013901. doi:10.1145\/2872427.2882991.","DOI":"10.1145\/2872427.2882991"},{"key":"ref009","doi-asserted-by":"crossref","unstructured":"S.\u00a0Calzavara, R.\u00a0Focardi, N.\u00a0Grimm and M.\u00a0Maffei, Micro-policies for web session security, in: IEEE 29th Computer Security Foundations Symposium, CSF 2016, Lisbon, Portugal, June27\u2013July 1, 2016.","DOI":"10.1109\/CSF.2016.20"},{"key":"ref010","doi-asserted-by":"crossref","unstructured":"S.\u00a0Calzavara, R.\u00a0Focardi, M.\u00a0Squarcina and M.\u00a0Tempesta, Surviving the web: A journey into web session security, ACM Computing Surveys (2017).","DOI":"10.1145\/3038923"},{"key":"ref011","unstructured":"S.\u00a0Calzavara, A.\u00a0Rabitti and M.\u00a0Bugliesi, Dr cookie and mr token \u2013 Web session implementations and how to live with them, in: Proceedings of the Second Italian Conference on Cyber Security, Milan, Italy, February 6th\u2013to\u20139th, 2018, 2018."},{"key":"ref012","doi-asserted-by":"publisher","DOI":"10.1145\/2754933"},{"key":"ref013","unstructured":"Chromium Security Team, Marking HTTP As Non-Secure, 2016."},{"key":"ref014","doi-asserted-by":"publisher","DOI":"10.1145\/2220352.2220353"},{"key":"ref015","unstructured":"M.\u00a0Dietz, A.\u00a0Czeskis, D.\u00a0Balfanz and D.S.\u00a0Wallach, Origin-bound certificates: A fresh approach to strong client authentication for the web, in: Proceedings of the 21th USENIX Security Symposium, USENIX 2012, 2012, pp.\u00a0317\u2013331."},{"key":"ref016","unstructured":"K.\u00a0Fu, E.\u00a0Sit, K.\u00a0Smith and N.\u00a0Feamster, The dos and don\u2019ts of client authentication on the web, in: 10th USENIX Security Symposium, Washington, D.C., USA, August 13\u201317, 2001, 2001."},{"key":"ref017","doi-asserted-by":"crossref","unstructured":"P.A.\u00a0Hallgren, D.T.\u00a0Mauritzson and A.\u00a0Sabelfeld, GlassTube: A lightweight approach to web application integrity, in: Proceedings of the 2013 ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, PLAS 2013, 2013, pp.\u00a071\u201382.","DOI":"10.1145\/2465106.2465432"},{"key":"ref018","doi-asserted-by":"crossref","unstructured":"J.\u00a0Hodges, C.\u00a0Jackson and A.\u00a0Barth, HTTP Strict Transport Security (HSTS), 2012.","DOI":"10.17487\/rfc6797"},{"key":"ref019","doi-asserted-by":"crossref","unstructured":"M.\u00a0Johns, B.\u00a0Braun, M.\u00a0Schrank and J.\u00a0Posegga, Reliable protection against session fixation attacks, in: Proceedings of the 26th ACM Symposium on Applied Computing, SAC 2011, 2011, pp.\u00a01531\u20131537.","DOI":"10.1145\/1982185.1982511"},{"key":"ref020","doi-asserted-by":"crossref","unstructured":"M.\u00a0Kranch and J.\u00a0Bonneau, Upgrading HTTPS in mid-air: An empirical study of strict transport security and key pinning, in: 22nd Annual Network and Distributed System Security Symposium, NDSS 2015, San Diego, California, USA, 2015 pp.\u00a08\u201311.","DOI":"10.14722\/ndss.2015.23162"},{"key":"ref021","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2012.01.013"},{"key":"ref022","doi-asserted-by":"crossref","unstructured":"Y.\u00a0Mundada, N.\u00a0Feamster and B.\u00a0Krishnamurthy, Half-baked cookies: Hardening cookie-based authentication for the modern web, in: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, AsiaCCS 2016, Xi\u2019an, China, May 30\u2013June 3, 2016, 2016, pp.\u00a0675\u2013685.","DOI":"10.1145\/2897845.2897889"},{"key":"ref023","doi-asserted-by":"crossref","unstructured":"N.\u00a0Nikiforakis, W.\u00a0Meert, Y.\u00a0Younan, M.\u00a0Johns and W.\u00a0Joosen, SessionShield: Lightweight protection against session hijacking, in: Proceedings of the 3rd International Symposium on Engineering Secure Software and Systems, ESSoS 2011, 2011, pp.\u00a087\u2013100.","DOI":"10.1007\/978-3-642-19125-1_7"},{"key":"ref024","unstructured":"OWASP, Top 10 Security Threats, 2017."},{"key":"ref025","unstructured":"F.\u00a0Roesner, T.\u00a0Kohno and D.\u00a0Wetherall, Detecting and defending against third-party tracking on the web, in: Proceedings of the 9th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2012, San Jose, CA, USA, April 25\u201327, 2012, 2012, pp.\u00a0155\u2013168."},{"key":"ref026","doi-asserted-by":"crossref","unstructured":"K.\u00a0Singh, A.\u00a0Moshchuk, H.J.\u00a0Wang and W.\u00a0Lee, On the incoherencies in web browser access control policies, in: 31st IEEE Symposium on Security and Privacy, S&P 2010, Berleley\/Oakland, California, USA, 16\u201319 May 2010, 2010, pp.\u00a0463\u2013478. doi:10.1109\/SP.2010.35.","DOI":"10.1109\/SP.2010.35"},{"key":"ref027","doi-asserted-by":"crossref","unstructured":"S.\u00a0Sivakorn, A.D.\u00a0Keromytis and J.\u00a0Polakis, That\u2019s the way the cookie crumbles: Evaluating HTTPS enforcing mechanisms, in: Proceedings of the 2016 ACM on Workshop on Privacy in the Electronic Society, WPES@CCS 2016, Vienna, Austria, October 24\u201328, 2016, 2016, pp.\u00a071\u201381. doi:10.1145\/2994620.2994638.","DOI":"10.1145\/2994620.2994638"},{"key":"ref028","doi-asserted-by":"crossref","unstructured":"S.\u00a0Sivakorn, I.\u00a0Polakis and A.D.\u00a0Keromytis, The cracked cookie jar: HTTP cookie hijacking and the exposure of private information, in: IEEE Symposium on Security and Privacy, SP 2016, San Jose, CA, USA, May 22\u201326, 2016, 2016, pp.\u00a0724\u2013742.","DOI":"10.1109\/SP.2016.49"},{"key":"ref029","doi-asserted-by":"crossref","unstructured":"S.\u00a0Tang, N.\u00a0Dautenhahn and S.T.\u00a0King, Fortifying web-based applications automatically, in: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, 2011, pp.\u00a0615\u2013626.","DOI":"10.1145\/2046707.2046777"},{"key":"ref030","unstructured":"X.\u00a0Zheng, J.\u00a0Jiang, J.\u00a0Liang, H.\u00a0Duan, S.\u00a0Chen, T.\u00a0Wan and N.\u00a0Weaver, Cookies lack integrity: Real-world implications, in: Proceedings of the 24th USENIX Security Symposium, USENIX 2015, 2015, pp.\u00a0707\u2013721."}],"container-title":["Journal of Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-181149","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/full-xml\/10.3233\/JCS-181149","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-181149","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,4,29]],"date-time":"2026-04-29T20:45:17Z","timestamp":1777495517000},"score":1,"resource":{"primary":{"URL":"https:\/\/journals.sagepub.com\/doi\/10.3233\/JCS-181149"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018,10,23]]},"references-count":30,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2019,3,29]]}},"alternative-id":["10.3233\/JCS-181149"],"URL":"https:\/\/doi.org\/10.3233\/jcs-181149","relation":{},"ISSN":["0926-227X","1875-8924"],"issn-type":[{"value":"0926-227X","type":"print"},{"value":"1875-8924","type":"electronic"}],"subject":[],"published":{"date-parts":[[2018,10,23]]}}}