{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,1]],"date-time":"2026-02-01T10:21:11Z","timestamp":1769941271857,"version":"3.49.0"},"reference-count":33,"publisher":"Elsevier BV","license":[{"start":{"date-parts":[[2021,12,1]],"date-time":"2021-12-01T00:00:00Z","timestamp":1638316800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/tdm\/userlicense\/1.0\/"},{"start":{"date-parts":[[2021,12,1]],"date-time":"2021-12-01T00:00:00Z","timestamp":1638316800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/legal\/tdmrep-license"},{"start":{"date-parts":[[2021,12,1]],"date-time":"2021-12-01T00:00:00Z","timestamp":1638316800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-017"},{"start":{"date-parts":[[2021,12,1]],"date-time":"2021-12-01T00:00:00Z","timestamp":1638316800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"},{"start":{"date-parts":[[2021,12,1]],"date-time":"2021-12-01T00:00:00Z","timestamp":1638316800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-012"},{"start":{"date-parts":[[2021,12,1]],"date-time":"2021-12-01T00:00:00Z","timestamp":1638316800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2021,12,1]],"date-time":"2021-12-01T00:00:00Z","timestamp":1638316800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-004"}],"content-domain":{"domain":["elsevier.com","sciencedirect.com"],"crossmark-restriction":true},"short-container-title":["Computers & Security"],"published-print":{"date-parts":[[2021,12]]},"DOI":"10.1016\/j.cose.2021.102472","type":"journal-article","created":{"date-parts":[[2021,9,16]],"date-time":"2021-09-16T11:02:21Z","timestamp":1631790141000},"page":"102472","update-policy":"https:\/\/doi.org\/10.1016\/elsevier_cm_policy","source":"Crossref","is-referenced-by-count":7,"special_numbering":"C","title":["Measuring Web Session Security at Scale"],"prefix":"10.1016","volume":"111","author":[{"given":"Stefano","family":"Calzavara","sequence":"first","affiliation":[]},{"given":"Hugo","family":"Jonker","sequence":"additional","affiliation":[]},{"given":"Benjamin","family":"Krumnow","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9555-8493","authenticated-orcid":false,"given":"Alvise","family":"Rabitti","sequence":"additional","affiliation":[]}],"member":"78","reference":[{"key":"10.1016\/j.cose.2021.102472_bib0001","series-title":"Proc. 32nd ACM SIGAPP Symposium On Applied Computing (SAC\u201917)","first-page":"1753","article-title":"Measuring login webpage security","author":"van Acker","year":"2017"},{"key":"10.1016\/j.cose.2021.102472_bib0002","series-title":"Proc. 23rd IEEE Computer Security Foundations Symposium (CSF\u201910)","first-page":"290","article-title":"Towards a formal foundation of web security","author":"Akhawe","year":"2010"},{"issue":"4","key":"10.1016\/j.cose.2021.102472_bib0003","doi-asserted-by":"crossref","first-page":"509","DOI":"10.3233\/JCS-150529","article-title":"CookiExt: Patching the browser against session hijacking attacks","volume":"23","author":"Bugliesi","year":"2015","journal-title":"J Comput Secur"},{"key":"10.1016\/j.cose.2021.102472_bib0004","series-title":"WWW","first-page":"321","article-title":"Sessionjuggler: secure web login from an untrusted terminal using session hijacking","author":"Bursztein","year":"2012"},{"key":"10.1016\/j.cose.2021.102472_bib0005","series-title":"Proc. 40th IEEE Symposium on Security and Privacy (SP\u201919)","first-page":"281","article-title":"Postcards from the post-HTTP world: Amplification of HTTPS vulnerabilities in the web ecosystem","author":"Calzavara","year":"2019"},{"issue":"1","key":"10.1016\/j.cose.2021.102472_bib0006","doi-asserted-by":"crossref","DOI":"10.1145\/3038923","article-title":"Surviving the web: A journey into web session security","volume":"50","author":"Calzavara","year":"2017","journal-title":"ACM Comput Surv"},{"issue":"2","key":"10.1016\/j.cose.2021.102472_bib0007","doi-asserted-by":"crossref","first-page":"233","DOI":"10.3233\/JCS-181149","article-title":"Sub-session hijacking on the web: Root causes and prevention","volume":"27","author":"Calzavara","year":"2019","journal-title":"Journal of Computer Security"},{"key":"10.1016\/j.cose.2021.102472_bib0008","series-title":"Proc. 23rd International Conference on World Wide Web (WWW\u201914)","first-page":"189","article-title":"Quite a mess in my cookie jar! leveraging machine learning to protect web authentication","author":"Calzavara","year":"2014"},{"issue":"3","key":"10.1016\/j.cose.2021.102472_bib0009","article-title":"A supervised learning approach to protect client authentication on the web","volume":"9","author":"Calzavara","year":"2015","journal-title":"ACM Transactions on the Web (TWEB)"},{"key":"10.1016\/j.cose.2021.102472_bib0010","series-title":"ISC","first-page":"354","article-title":"A dangerous mix: Large-scale analysis of mixed-content websites","volume":"volume 7807","author":"Chen","year":"2013"},{"key":"10.1016\/j.cose.2021.102472_bib0011","series-title":"Proc. 27th ACM SIGSAC Conference on Computer and Communications Security (CCS\u201920)","first-page":"1953","article-title":"The cookie hunter: Automated black-box auditing for web authentication and authorization flaws","author":"Drakonakis","year":"2020"},{"key":"10.1016\/j.cose.2021.102472_sbref0012","series-title":"Proc. 27th USENIX Security Symposium (USENIX Security\u201918)","first-page":"1475","article-title":"O single sign-off, where art thou? an empirical analysis of single sign-on account hijacking and session management on the web","author":"Ghasemisharif","year":"2018"},{"key":"10.1016\/j.cose.2021.102472_bib0013","series-title":"Proc. 28th Annual Computer Security Applications Conference (ACSAC\u201912)","first-page":"109","article-title":"Building better passwords using probabilistic techniques","author":"Houshmand","year":"2012"},{"key":"10.1016\/j.cose.2021.102472_bib0014","series-title":"Proc. 26th ACM Symposium on Applied Computing (SAC\u201916)","first-page":"1531","article-title":"Reliable protection against session fixation attacks","author":"Johns","year":"2011"},{"key":"10.1016\/j.cose.2021.102472_bib0015","series-title":"Proc. 2nd Workshop on Measurements, Attacks and Defenses for the Web (MADWEB\u201920)","first-page":"1","article-title":"Shepherd: a generic approach to automating website login","author":"Jonker","year":"2020"},{"key":"10.1016\/j.cose.2021.102472_bib0016","series-title":"Proc. 22nd Network and Distributed System Security Symposium (NDSS\u201915)","article-title":"HTTPS in mid-air: An empirical study of strict transport security and key pinning","author":"Kranch","year":"2015"},{"key":"10.1016\/j.cose.2021.102472_bib0017","doi-asserted-by":"crossref","unstructured":"Kristol D., Montulli L.. RFC 2965: HTTP state management mechanism. https:\/\/www.ietf.org\/rfc\/rfc2965.txt; 2000.","DOI":"10.17487\/rfc2965"},{"key":"10.1016\/j.cose.2021.102472_bib0018","series-title":"Proc. 26th Annual Network and Distributed System Security Symposium (NDSS\u201919)","article-title":"Tranco: A research-oriented top sites ranking hardened against manipulation","author":"Le Pochat","year":"2019"},{"key":"10.1016\/j.cose.2021.102472_bib0019","series-title":"Proc. 11th Asia Conference on Computer and Communications Security (ASIACCS\u201916)","first-page":"675","article-title":"Half-Baked Cookies: Hardening Cookie-Based Authentication for the Modern Web","author":"Mundada","year":"2016"},{"key":"10.1016\/j.cose.2021.102472_bib0020","series-title":"Proc. 3rd Symposium on Engineering Secure Software and Systems (ESSoS\u201911)","first-page":"87","article-title":"SessionShield: Lightweight protection against session hijacking","volume":"volume 6542","author":"Nikiforakis","year":"2011"},{"key":"10.1016\/j.cose.2021.102472_bib0021","unstructured":"OWASP. OWASP top ten \u2013 2017: The ten most critical web application security risks. 2017. https:\/\/owasp.org\/www-project-top-ten\/2017\/."},{"key":"10.1016\/j.cose.2021.102472_bib0022","series-title":"Proc. IFIP International Conference on Distributed Applications and Interoperable Systems","first-page":"59","article-title":"Serene: self-reliant client-side protection against session fixation","volume":"volume 7272","author":"de Ryck","year":"2012"},{"key":"10.1016\/j.cose.2021.102472_bib0023","series-title":"Proc. 33rd ACM Conference on Human Factors in Computing Systems (CHI\u201915)","first-page":"2903","article-title":"A spoonful of sugar?: The impact of guidance and feedback on password-creation behavior","author":"Shay","year":"2015"},{"issue":"4","key":"10.1016\/j.cose.2021.102472_bib0024","doi-asserted-by":"crossref","DOI":"10.1145\/2891411","article-title":"Designing password policies for strength and usability","volume":"18","author":"Shay","year":"2016","journal-title":"ACM Trans Inf Syst Secur"},{"key":"10.1016\/j.cose.2021.102472_bib0025","series-title":"Proc. 28th The Web Conference (WWW\u201919)","first-page":"3230","article-title":"What is in your password? analyzing memorable and secure passwords using a tensor decomposition","author":"Shin","year":"2019"},{"key":"10.1016\/j.cose.2021.102472_bib0026","series-title":"WPES@CCS","first-page":"71","article-title":"That\u2019s the way the cookie crumbles: Evaluating HTTPS enforcing mechanisms","author":"Sivakorn","year":"2016"},{"key":"10.1016\/j.cose.2021.102472_bib0027","series-title":"Proc. 37th IEEE Symposium on Security and Privacy (SP\u201916)","first-page":"724","article-title":"The cracked cookie jar: HTTP cookie hijacking and the exposure of private information","author":"Sivakorn","year":"2016"},{"key":"10.1016\/j.cose.2021.102472_bib0028","series-title":"NDSS","article-title":"Don\u2019t trust the locals: Investigating the prevalence of persistent client-side cross-site scripting in the wild","author":"Steffens","year":"2019"},{"key":"10.1016\/j.cose.2021.102472_bib0029","unstructured":"Symantec. Webpulse site review request. https:\/\/sitereview.norton.com\/#\/; 2021."},{"key":"10.1016\/j.cose.2021.102472_bib0030","series-title":"Proc. 23rd ACM SIGSAC Conference on Computer and Communications Security (CCS\u201916)","first-page":"1376","article-title":"CSP is dead, long live CSP! on the insecurity of whitelists and the future of content security policy","author":"Weichselbaum","year":"2016"},{"key":"10.1016\/j.cose.2021.102472_sbref0031","series-title":"Proc. 24th USENIX Security Symposium (USENIX Security\u201915)","first-page":"707","article-title":"Cookies lack integrity: Real-world implications","author":"Zheng","year":"2015"},{"key":"10.1016\/j.cose.2021.102472_sbref0032","article-title":"Why aren\u2019t HTTP-only cookies more widely deployed","volume":"2","author":"Zhou","year":"2010","journal-title":"Proceedings of 4th Web 20 Security and Privacy Workshop"},{"key":"10.1016\/j.cose.2021.102472_sbref0033","series-title":"Proc. 23rd USENIX Security Symposium (USENIX Security\u201914)","first-page":"495","article-title":"SSOScan: Automated testing of web applications for single sign-on vulnerabilities","author":"Zhou","year":"2014"}],"container-title":["Computers & Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0167404821002960?httpAccept=text\/xml","content-type":"text\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0167404821002960?httpAccept=text\/plain","content-type":"text\/plain","content-version":"vor","intended-application":"text-mining"}],"deposited":{"date-parts":[[2025,9,28]],"date-time":"2025-09-28T19:13:24Z","timestamp":1759086804000},"score":1,"resource":{"primary":{"URL":"https:\/\/linkinghub.elsevier.com\/retrieve\/pii\/S0167404821002960"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,12]]},"references-count":33,"alternative-id":["S0167404821002960"],"URL":"https:\/\/doi.org\/10.1016\/j.cose.2021.102472","relation":{},"ISSN":["0167-4048"],"issn-type":[{"value":"0167-4048","type":"print"}],"subject":[],"published":{"date-parts":[[2021,12]]},"assertion":[{"value":"Elsevier","name":"publisher","label":"This article is maintained by"},{"value":"Measuring Web Session Security at Scale","name":"articletitle","label":"Article Title"},{"value":"Computers & Security","name":"journaltitle","label":"Journal Title"},{"value":"https:\/\/doi.org\/10.1016\/j.cose.2021.102472","name":"articlelink","label":"CrossRef DOI link to publisher maintained version"},{"value":"article","name":"content_type","label":"Content Type"},{"value":"\u00a9 2021 Elsevier Ltd. All rights reserved.","name":"copyright","label":"Copyright"}],"article-number":"102472"}}