Measuring Web Session Security at Scale

Stefano Calzavara, H.L. Jonker, Benjamin Krumnow, Alvise Rabitti

Research output: Contribution to journalArticleAcademicpeer-review


Session management is a particularly delicate component of web applications, which might suffer from a range of severe security issues, including impersonation attacks. Unfortunately, the scope and significance of prior work on web session security in the wild are limited by the complexity of the attack surface and the challenges of automating the login process on existing websites. In the present article, we fill this gap by proposing the first comprehensive, large-scale web session security measurement based on post-login data. Our analysis is comprehensive in that it deals with all key aspects of web sessions, i.e., the login process, the logout process and the authentication cookie handling. Our automated approach analysed an extensive set of session management practices of over 6,000 sites where login was successful and authentication cookies could be automatically detected, uncovering a widespread adoption of insecure practices in the wild.
Original languageEnglish
Article number102472
Number of pages18
JournalComputers & Security
Early online date16 Sept 2021
Publication statusPublished - Dec 2021


  • Authentication
  • Automated login
  • Black-box testing
  • Session security
  • Shepherd
  • Web measurements
  • authentication
  • automated login
  • black-box testing
  • web measurements


Dive into the research topics of 'Measuring Web Session Security at Scale'. Together they form a unique fingerprint.

Cite this