DeepAI AI Chat
Log In Sign Up

Language-Based Web Session Integrity

by   Stefano Calzavara, et al.

Session management is a fundamental component of web applications: despite the apparent simplicity, correctly implementing web sessions is extremely tricky, as witnessed by the large number of existing attacks. This motivated the design of formal methods to rigorously reason about web session security which, however, are not supported at present by suitable automated verification techniques. In this paper we introduce the first security type system that enforces session security on a core model of web applications, focusing in particular on server-side code. We showcase the expressiveness of our type system by analyzing the session management logic of HotCRP, Moodle, and phpMyAdmin, unveiling novel security flaws that have been acknowledged by software developers.


page 1

page 2

page 3

page 4


Model-View-Update-Communicate: Session Types meet the Elm Architecture

The Elm programming language pioneers the Model-View-Update (MVU) archit...

Multiparty Session Type-safe Web Development with Static Linearity

Modern web applications can now offer desktop-like experiences from with...

WebSpec: Towards Machine-Checked Analysis of Browser Security Mechanisms

The complexity of browsers has steadily increased over the years, driven...

Generating Interactive WebSocket Applications in TypeScript

Advancements in mobile device computing power have made interactive web ...

How to Authenticate MQTT Sessions Without Channel- and Broker Security

This paper describes a new but state-of-the-art approach to provide auth...

An Extensive Formal Security Analysis of the OpenID Financial-grade API

Forced by regulations and industry demand, banks worldwide are working t...

Static Information Flow Control Made Simpler

Static information flow control (IFC) systems provide the ability to res...