English

Language-Based Web Session Integrity

Cryptography and Security 2020-06-03 v2
Authors: Stefano Calzavara , Riccardo Focardi , Niklas Grimm , Matteo Maffei , Mauro Tempesta
View on arXiv PDF

Abstract

Session management is a fundamental component of web applications: despite the apparent simplicity, correctly implementing web sessions is extremely tricky, as witnessed by the large number of existing attacks. This motivated the design of formal methods to rigorously reason about web session security which, however, are not supported at present by suitable automated verification techniques. In this paper we introduce the first security type system that enforces session security on a core model of web applications, focusing in particular on server-side code. We showcase the expressiveness of our type system by analyzing the session management logic of HotCRP, Moodle, and phpMyAdmin, unveiling novel security flaws that have been acknowledged by software developers.

Keywords

computer security

Cite

@article{arxiv.2001.10405,
  title  = {Language-Based Web Session Integrity},
  author = {Stefano Calzavara and Riccardo Focardi and Niklas Grimm and Matteo Maffei and Mauro Tempesta},
  journal= {arXiv preprint arXiv:2001.10405},
  year   = {2020}
}

Related papers

View all related →
Software Engineering · Computer Science
An Exploration Into Web Session Security- A Systematic Literature Review
Md. Imtiaz Habib, Abdullah Al Maruf, Md. Jobair Ahmed Nabil
2023-10-18
Programming Languages · Computer Science
On the Monitorability of Session Types, in Theory and Practice (Extended Version)
Christian Batrolo Burlò, Adrian Francalanza, Alceste Scalas
2021-05-25
Programming Languages · Computer Science
Multiparty Session Type-safe Web Development with Static Linearity
Jonathan King, Nicholas Ng, Nobuko Yoshida
2019-04-03
Programming Languages · Computer Science
Towards Multiparty Session Types for Highly-Concurrent and Fault-Tolerant Web Applications
Richard Casetta, Nils Gesbert, Pierre Genevès
2026-04-09
Networking and Internet Architecture · Computer Science
Examining Web Application by Clumping and Orienting User Session Data
T. Deenadayalan, V. Kavitha, S. Rajarajeswari
2010-06-24
Programming Languages · Computer Science
Session Types Go Dynamic or How to Verify Your Python Conversations
Rumyana Neykova
2013-12-11
Cryptography and Security · Computer Science
Formal security analysis of registration protocols for interactive systems: a methodology and a case of study
Jesus Diaz, David Arroyo, Francisco B. Rodriguez
2012-09-07
Programming Languages · Computer Science
Automated Modular Verification for Race-Free Channels with Implicit and Explicit Synchronization
Andreea Costea, Wei-Ngan Chin, Florin Craciun, Shengchao Qin
2021-09-27
Cryptography and Security · Computer Science
Secure Web Access Control Algorithm
Ioan Filip, Iosif Szeidert, Cristian Vasar
2018-03-28
Programming Languages · Computer Science
Session Types for the Transport Layer: Towards an Implementation of TCP
Samuel Cavoj, Ivan Nikitin, Colin Perkins, Ornela Dardha
2024-04-09
Programming Languages · Computer Science
Gradual Session Types
Atsushi Igarashi, Peter Thiemann, Yuya Tsuda, Vasco T. Vasconcelos +1
2019-11-20
Networking and Internet Architecture · Computer Science
Session Initiation Protocol Attacks and Challenges
Hassan Keshavarz, Mohammad Reza Jabbarpour Sattari, Rafidah Md Noor
2012-05-03
Logic in Computer Science · Computer Science
Reversible Sessions Using Monitors
Claudio A. Mezzina, Jorge A. Pérez
2016-06-21
Programming Languages · Computer Science
Modular session types for objects
Simon J. Gay, Nils Gesbert, António Ravara, Vasco T. Vasconcelos
2017-01-11
Programming Languages · Computer Science
Type-Based Analysis for Session Inference
Carlo Spaccasassi, Vasileios Koutavas
2016-04-14
Software Engineering · Computer Science
Runtime Verification of Linux Kernel Security Module
Denis Efremov, Ilya Shchepetkov
2020-01-07
Programming Languages · Computer Science
Secure Prolog-Based Mobile Code
Seng Wai Loke, Andrew Davison
2007-05-23
Cryptography and Security · Computer Science
Universal Session Protocol: Mitigating Unauthenticated Remote Code Execution
Jonathon Anderson
2025-09-17
Hardware Architecture · Computer Science
Special Session: Towards an Agile Design Methodology for Efficient, Reliable, and Secure ML Systems
Shail Dave, Alberto Marchisio, Muhammad Abdullah Hanif, Amira Guesmi +3
2022-06-22
Programming Languages · Computer Science
Multiparty Dependent Session Types (Extended Abstract)
Hanwen Wu, Hongwei Xi
2018-08-02
Logic in Computer Science · Computer Science
On Asynchronous Multiparty Session Types for Federated Learning
Ivan Prokić, Simona Prokić, Silvia Ghilezan, Alceste Scalas +1
2026-03-27
Logic in Computer Science · Computer Science
Taming Concurrency for Verification Using Multiparty Session Types (Technical Report)
Kirstin Peters, Christoph Wagner, Uwe Nestmann
2019-08-20
Logic in Computer Science · Computer Science
Session Types for Link Failures (Technical Report)
Manuel Adameit, Kirstin Peters, Uwe Nestmann
2017-05-05
Cryptography and Security · Computer Science
Leveraging Large Language Models for Trustworthiness Assessment of Web Applications
Oleksandr Yarotskyi, José D'Abruzzo Pereira, João R. Campos
2026-03-26
Programming Languages · Computer Science
NEST: Network Enforced Session Types (Technical Report)
Jens Kanstrup Larsen, Alceste Scalas, Guy Amir, Jules Jacobs +2
2026-04-24