Measuring Web Session Security at Scale

Stefano Calzavara, H.L. Jonker, Benjamin Krumnow*, Alvise Rabitti

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review


Session management is a particularly delicate component of web applications, which might suffer from a range of severe security issues, including impersonation attacks. Unfortunately, the scope and significance of prior work on web session security in the wild are limited by the complexity of the attack surface and the challenges of automating the login process on existing websites. In the present article, we fill this gap by proposing the first comprehensive, large-scale web session security measurement based on post-login data. Our analysis is comprehensive in that it deals with all key aspects of web sessions, i.e., the login process, the logout process and the authentication cookie handling. Our automated approach analysed an extensive set of session management practices of over 6,000 sites where login was successful and authentication cookies could be automatically detected, uncovering a widespread adoption of insecure practices in the wild.
Original languageEnglish
Article number102472
JournalComputers & Security
Early online date16 Sep 2021
Publication statusPublished - 1 Oct 2021


  • Session security
  • Shepherd
  • black-box testing
  • web measurements
  • automated login
  • authentication


Dive into the research topics of 'Measuring Web Session Security at Scale'. Together they form a unique fingerprint.

Cite this