Session hijacking

Abstract: The system of the invention provides a collaboration adapter which can be integrated into a web server or a web/application server to allow multiple computer user participants to access a single shared session to an application in a collaborative manner. The system of the invention allows a participant to create a shared session and to associate a participant identity to the shared session as the shared session owner. From thereon, participants can join the shared session and submit requests for application response information to the web server containing the collaboration adapter. In cases where the application response information must be obtained from the application, the invention substitutes participant session identification information in an original participant request with shared session identification information to create an altered request and then forwards the altered request to the application.

Abstract: The present invention comprises a system and method for secure session management and authentication between web sites and web clients. The method includes both secure and non-secure communication protocols, means for switching between secure and non-secure communication protocols, a session cookie and an authcode cookie. The session cookie is used for session management and the authcode cookie is used for authentication. The session cookie is transmitted using a non-secure communication protocol when the web client accesses a non-secure web page, whereas, the authcode cookie is transmitted using a secure communication protocol when the web client accesses a secure web page. Session management architecture and usage of two distinct cookies along with both secure and non-secure communication protocols prevents unauthorized users from accessing sensitive web client or web site information.

Abstract: Keylogging and phishing attacks can extract user identity and sensitive account information for unauthorized access to users' financial accounts. Most existing or proposed solutions are vulnerable to session hijacking attacks. We propose a simple approach to counter these attacks, which cryptographically separates a user's long-term secret input from (typically untrusted) client PCs; a client PC performs most computations but has access only to temporary secrets. The user's long-term secret (typically short and low-entropy) is input through an independent personal trusted device such as a cellphone. The personal device provides a user's long-term secrets to a client PC only after encrypting the secrets using a pre-installed, "correct" public key of a remote service (the intended recipient of the secrets). The proposed protocol (MP-Auth) realizes such an approach, and is intended to safeguard passwords from keyloggers, other malware (including rootkits), phishing attacks and pharming, as well as to provide transaction security to foil session hijacking. We report on a prototype implementation of MP-Auth, and provide a comparison of web authentication techniques that use an additional factor of authentication (e.g. a cellphone, PDA or hardware token).

Abstract: Methods and apparatus for sharing user information across the Internet, trackers and servers, in multiple domains. User-tracking mechanism deploy cookies placed in web-browser to track an user preference, or use URL rewriting techniques. In an embodiment, a first web site desiring to coordinate cookie information with a second web site creates a cookie in the browser, and stores information related to the information in the cookie in a cookie coordinator database. It directs the client to access a resource at the second web site. The URL of the resource on the second web site encapsulates the information about the location of the client record in a cookie coordinator database. The second web site places its own cookie on the client browser, and coordinates its information with the information in the cookie of the first web-browser by accessing the client record in the cookie coordinator database.