Abstract
Cookies are pieces of information generated by a Web server to be stored in a user’s machine. The information in cookies can range from selected items in a user’s shopping cart to authentication information used for accessing restricted pages. While cookies are clearly very useful, they can also be abused. In this paper, security threats that cookies can pose to a user are identified, as are the security requirements necessary to defeat them. Various options to meet the security requirements are then examined. Proposed user-controlled approaches and their implementations are presented and compared with a server-controlled approach, particularly the ‘Secure Cookies’ method, to illustrate the relative advantages and disadvantages of the two approaches.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
S. Garfinkel, and G. Spafford. Web Security & Commerce. O’Reilly, 1997.
B. Hancock. Security views: some cookies are not tasty. Computers & Security, 17(5):374–376, 1998.
B. Haselton and J. McCarthy. Internet Explorer open cookie jar. http://www.peace.re.org/security/iecookies/, May 2000.
V. Khu-smith. An implementation flaw concerning Netscape Navigator and cookies. January 2001.
D. Kristol and L. Montulli. HTTP State Management Mechanism — RFC2109. IETF, 1997.
S. Laurent. Cookies. McGraw Hill, 1998.
Netscape. Persistent Client State HTTP Cookies, 1996.
J. Park and R. Sandhu. Secure cookies on the web, IEEE Internet Computing, 4(4):36–44, 2000.
D. Ross, I. Brugiolo, J. Coates, and M. Roe. Cross-site scripting overview. http://www.microsoft.com/technet/security/, Febuary 2000.
D. Stein. Web Security. Addison Wesley, 1998.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Khu-smith, V., Mitchell, C. (2002). Enhancing the Security of Cookies. In: Kim, K. (eds) Information Security and Cryptology — ICISC 2001. ICISC 2001. Lecture Notes in Computer Science, vol 2288. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45861-1_11
Download citation
DOI: https://doi.org/10.1007/3-540-45861-1_11
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-43319-4
Online ISBN: 978-3-540-45861-6
eBook Packages: Springer Book Archive