Enhancing the Security of Cookies

Khu-smith, Vorapranee; Mitchell, Chris

doi:10.1007/3-540-45861-1_11

Vorapranee Khu-smith⁵ &
Chris Mitchell⁵

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2288))

Included in the following conference series:

International Conference on Information Security and Cryptology

1083 Accesses
2 Citations
3 Altmetric

Abstract

Cookies are pieces of information generated by a Web server to be stored in a user’s machine. The information in cookies can range from selected items in a user’s shopping cart to authentication information used for accessing restricted pages. While cookies are clearly very useful, they can also be abused. In this paper, security threats that cookies can pose to a user are identified, as are the security requirements necessary to defeat them. Various options to meet the security requirements are then examined. Proposed user-controlled approaches and their implementations are presented and compared with a server-controlled approach, particularly the ‘Secure Cookies’ method, to illustrate the relative advantages and disadvantages of the two approaches.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

S. Garfinkel, and G. Spafford. Web Security & Commerce. O’Reilly, 1997.
Google Scholar
B. Hancock. Security views: some cookies are not tasty. Computers & Security, 17(5):374–376, 1998.
Article Google Scholar
B. Haselton and J. McCarthy. Internet Explorer open cookie jar. http://www.peace.re.org/security/iecookies/, May 2000.
V. Khu-smith. An implementation flaw concerning Netscape Navigator and cookies. January 2001.
Google Scholar
D. Kristol and L. Montulli. HTTP State Management Mechanism — RFC2109. IETF, 1997.
Google Scholar
S. Laurent. Cookies. McGraw Hill, 1998.
Google Scholar
Netscape. Persistent Client State HTTP Cookies, 1996.
Google Scholar
J. Park and R. Sandhu. Secure cookies on the web, IEEE Internet Computing, 4(4):36–44, 2000.
Article Google Scholar
D. Ross, I. Brugiolo, J. Coates, and M. Roe. Cross-site scripting overview. http://www.microsoft.com/technet/security/, Febuary 2000.
D. Stein. Web Security. Addison Wesley, 1998.
Google Scholar

Download references

Author information

Authors and Affiliations

Information Security Group, Royal Holloway, University of London, TW20 0EX, Egham, Surrey, UK
Vorapranee Khu-smith & Chris Mitchell

Authors

Vorapranee Khu-smith
View author publications
You can also search for this author in PubMed Google Scholar
Chris Mitchell
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

International Research center for Information Security (IRIS), Information and Communications University (ICU), 58-4, Hwaam-dong-Yusong-gu, 305-732, Daejeon, Korea
Kwangjo Kim

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Khu-smith, V., Mitchell, C. (2002). Enhancing the Security of Cookies. In: Kim, K. (eds) Information Security and Cryptology — ICISC 2001. ICISC 2001. Lecture Notes in Computer Science, vol 2288. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45861-1_11

Download citation

DOI: https://doi.org/10.1007/3-540-45861-1_11
Published: 23 April 2002
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-43319-4
Online ISBN: 978-3-540-45861-6
eBook Packages: Springer Book Archive

Publish with us

Policies and ethics