Method and apparatus for detecting session hijacking in web-based applications
US8738782B1 · kind B1 · utility
Assignee
Inventor
Key dates
| Filing date | Dec 3, 2008 |
| Grant date | May 27, 2014 |
| Priority date | — |
| Expiry date | Feb 16, 2030 |
Classification
- Technology area (CPC H)Electricity
- CPC primaryH04L67/142
- WIPO fieldDigital communication
- WIPO sectorElectrical engineering
Abstract
One embodiment of the present invention provides a system for detecting session hijacking of web-based applications. During operation, the system receives a request from a client at a server, wherein the request comprises a session cookie associated with a session and the client. Next, the system analyzes the session cookie to retrieve an order identifier for the session cookie. Note that the order identifier is generated when the session cookie is submitted to the server. The system then compares the order identifier from the session cookie with order identifiers for previously received session cookies for the session to determine if the session cookie was submitted after all of the previously received session cookies. If so, the system fulfills the request, generates a new session cookie with a new order identifier, and sends the new session cookie to the client. However, if the session cookie was not submitted after all of the previously received session cookies, the system indicates that the session has been hijacked, and terminates the session.
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.