A secure cookie scheme

Authors:
Alex X. Liu;Jason M. Kovacs;Mohamed G. Gouda
Affiliations:
Department of Computer Science and Engineering, Michigan State University, East Lansing, MI 48824-1266, USA;Exis Web Solutions3www.exisweb.com.3;Department of Computer Sciences, The University of Texas at Austin, Austin, TX 78712-0233, USA
Venue:
Computer Networks: The International Journal of Computer and Telecommunications Networking
Year:
2012

Citing 8
Cited 1

Secure Cookies on the Web

IEEE Internet Computing
Keying Hash Functions for Message Authentication

CRYPTO '96 Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology
Protecting Web Usage of Credit Cards Using One-Time Pad Cookie Encryption

ACSAC '02 Proceedings of the 18th Annual Computer Security Applications Conference
A Lightweight Approach to Authenticated Web Caching

SAINT '05 Proceedings of the The 2005 Symposium on Applications and the Internet
Dos and don'ts of client authentication on the web

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Automatic Cookie Usage Setting with CookiePicker

DSN '07 Proceedings of the 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks
A Three-Tiered Testing Strategy for Cookies

ICST '08 Proceedings of the 2008 International Conference on Software Testing, Verification, and Validation
Towards a Formal Foundation of Web Security

CSF '10 Proceedings of the 2010 23rd IEEE Computer Security Foundations Symposium

Cookie-proxy: a scheme to prevent SSLStrip attack

ICICS'12 Proceedings of the 14th international conference on Information and Communications Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Cookies are the primary means for web applications to authenticate HTTP requests and to maintain client states. Many web applications (such as those for electronic commerce) demand a secure cookie scheme. Such a scheme needs to provide the following four services: authentication, confidentiality, integrity, and anti-replay. Several secure cookie schemes have been proposed in previous literature; however, none of them are completely satisfactory. In this paper, we propose a secure cookie scheme that is effective, efficient, and easy to deploy. In terms of effectiveness, our scheme provides all of the above four security services. In terms of efficiency, our scheme does not involve any database lookup or public key cryptography. In terms of deployability, our scheme can be easily deployed on existing web services, and it does not require any change to the Internet cookie specification. We implemented our secure cookie scheme using PHP and conducted experiments. The experimental results show that our scheme is very efficient on both the client side and the server side. A notable adoption of our scheme in industry is that our cookie scheme has been used by Wordpress since version 2.4. Wordpress is a widely used open source content management system.